hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject hbase git commit: HBASE-17717 Explicitly use "sasl" ACL scheme for hbase superuser
Date Thu, 02 Mar 2017 20:50:30 GMT
Repository: hbase
Updated Branches:
  refs/heads/master 06e984b08 -> 5645684ec


HBASE-17717 Explicitly use "sasl" ACL scheme for hbase superuser

The special "auth" ZK ACL scheme will always set the ACL's id (the
user who is allowed) to be the authenticated user of the ZK connection.
This results in the HBase superuser not actually receiving the
permissions as the ZKUtil intends to do. Since we know we have security
enabled, we can instead explicitly list "sasl" as the ACL scheme
instead.


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/5645684e
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/5645684e
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/5645684e

Branch: refs/heads/master
Commit: 5645684ec9e77d9af6c75b3378468a167cdc9788
Parents: 06e984b
Author: Josh Elser <elserj@apache.org>
Authored: Wed Mar 1 18:41:05 2017 -0500
Committer: Josh Elser <elserj@apache.org>
Committed: Thu Mar 2 15:46:33 2017 -0500

----------------------------------------------------------------------
 .../apache/hadoop/hbase/zookeeper/ZKUtil.java   |  2 +-
 .../hadoop/hbase/zookeeper/TestZKUtil.java      | 34 +++++++++++++++++---
 2 files changed, 30 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/5645684e/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index 98c96ec..3e00e04 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -915,7 +915,7 @@ public class ZKUtil {
             // TODO: Set node ACL for groups when ZK supports this feature
             groups.add(user);
           } else {
-            acls.add(new ACL(Perms.ALL, new Id("auth", user)));
+            acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
           }
         }
         if (!groups.isEmpty()) {

http://git-wip-us.apache.org/repos/asf/hbase/blob/5645684e/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
index 2795472..076569b 100644
--- a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
+++ b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
@@ -26,6 +26,7 @@ import org.apache.hadoop.hbase.HBaseConfiguration;
 import org.apache.hadoop.hbase.ZooKeeperConnectionException;
 import org.apache.hadoop.hbase.security.Superusers;
 import org.apache.hadoop.hbase.testclassification.SmallTests;
+import org.apache.zookeeper.ZooDefs.Ids;
 import org.apache.zookeeper.ZooDefs.Perms;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Id;
@@ -40,6 +41,29 @@ import org.junit.experimental.categories.Category;
 public class TestZKUtil {
 
   @Test
+  public void testUnsecure() throws ZooKeeperConnectionException, IOException {
+    Configuration conf = HBaseConfiguration.create();
+    conf.set(Superusers.SUPERUSER_CONF_KEY, "user1");
+    String node = "/hbase/testUnsecure";
+    ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
+    List<ACL> aclList = ZKUtil.createACL(watcher, node, false);
+    Assert.assertEquals(aclList.size(), 1);
+    Assert.assertTrue(aclList.contains(Ids.OPEN_ACL_UNSAFE.iterator().next()));
+  }
+
+  @Test
+  public void testSecuritySingleSuperuser() throws ZooKeeperConnectionException, IOException
{
+    Configuration conf = HBaseConfiguration.create();
+    conf.set(Superusers.SUPERUSER_CONF_KEY, "user1");
+    String node = "/hbase/testSecuritySingleSuperuser";
+    ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
+    List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
+    Assert.assertEquals(aclList.size(), 2); // 1+1, since ACL will be set for the creator
by default
+    Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user1"))));
+    Assert.assertTrue(aclList.contains(Ids.CREATOR_ALL_ACL.iterator().next()));
+  }
+
+  @Test
   public void testCreateACL() throws ZooKeeperConnectionException, IOException {
     Configuration conf = HBaseConfiguration.create();
     conf.set(Superusers.SUPERUSER_CONF_KEY, "user1,@group1,user2,@group2,user3");
@@ -47,10 +71,10 @@ public class TestZKUtil {
     ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
     List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
     Assert.assertEquals(aclList.size(), 4); // 3+1, since ACL will be set for the creator
by default
-    Assert.assertTrue(!aclList.contains(new ACL(Perms.ALL, new Id("auth", "@group1")))
-        && !aclList.contains(new ACL(Perms.ALL, new Id("auth", "@group2"))));
-    Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", "user1")))
-        && aclList.contains(new ACL(Perms.ALL, new Id("auth", "user2")))
-        && aclList.contains(new ACL(Perms.ALL, new Id("auth", "user3"))));
+    Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1"))));
+    Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group2"))));
+    Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user1"))));
+    Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user2"))));
+    Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user3"))));
   }
 }


Mime
View raw message