hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject hbase git commit: HBASE-17717 Explicitly use "sasl" ACL scheme for hbase superuser
Date Thu, 02 Mar 2017 20:57:16 GMT
Repository: hbase
Updated Branches:
  refs/heads/branch-1 88f909cf1 -> 85b5d4931


HBASE-17717 Explicitly use "sasl" ACL scheme for hbase superuser

The special "auth" ZK ACL scheme will always set the ACL's id (the
user who is allowed) to be the authenticated user of the ZK connection.
This results in the HBase superuser not actually receiving the
permissions as the ZKUtil intends to do. Since we know we have security
enabled, we can instead explicitly list "sasl" as the ACL scheme
instead.


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/85b5d493
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/85b5d493
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/85b5d493

Branch: refs/heads/branch-1
Commit: 85b5d493152f61ba159a7ce61c9eb679804e17c9
Parents: 88f909c
Author: Josh Elser <elserj@apache.org>
Authored: Wed Mar 1 18:41:05 2017 -0500
Committer: Josh Elser <elserj@apache.org>
Committed: Thu Mar 2 15:50:38 2017 -0500

----------------------------------------------------------------------
 .../apache/hadoop/hbase/zookeeper/ZKUtil.java   |  2 +-
 .../hadoop/hbase/zookeeper/TestZKUtil.java      | 34 +++++++++++++++++---
 2 files changed, 30 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/85b5d493/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index 66ddb62..3cbc317 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -919,7 +919,7 @@ public class ZKUtil {
             // TODO: Set node ACL for groups when ZK supports this feature
             groups.add(user);
           } else {
-            acls.add(new ACL(Perms.ALL, new Id("auth", user)));
+            acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
           }
         }
         if (!groups.isEmpty()) {

http://git-wip-us.apache.org/repos/asf/hbase/blob/85b5d493/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
index eb629f2..1099e5e 100644
--- a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
+++ b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
@@ -27,6 +27,7 @@ import org.apache.hadoop.hbase.HConstants;
 import org.apache.hadoop.hbase.ZooKeeperConnectionException;
 import org.apache.hadoop.hbase.security.Superusers;
 import org.apache.hadoop.hbase.testclassification.SmallTests;
+import org.apache.zookeeper.ZooDefs.Ids;
 import org.apache.zookeeper.ZooDefs.Perms;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Id;
@@ -41,6 +42,29 @@ import org.junit.experimental.categories.Category;
 public class TestZKUtil {
 
   @Test
+  public void testUnsecure() throws ZooKeeperConnectionException, IOException {
+    Configuration conf = HBaseConfiguration.create();
+    conf.set(Superusers.SUPERUSER_CONF_KEY, "user1");
+    String node = "/hbase/testUnsecure";
+    ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
+    List<ACL> aclList = ZKUtil.createACL(watcher, node, false);
+    Assert.assertEquals(aclList.size(), 1);
+    Assert.assertTrue(aclList.contains(Ids.OPEN_ACL_UNSAFE.iterator().next()));
+  }
+
+  @Test
+  public void testSecuritySingleSuperuser() throws ZooKeeperConnectionException, IOException
{
+    Configuration conf = HBaseConfiguration.create();
+    conf.set(Superusers.SUPERUSER_CONF_KEY, "user1");
+    String node = "/hbase/testSecuritySingleSuperuser";
+    ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
+    List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
+    Assert.assertEquals(aclList.size(), 2); // 1+1, since ACL will be set for the creator
by default
+    Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user1"))));
+    Assert.assertTrue(aclList.contains(Ids.CREATOR_ALL_ACL.iterator().next()));
+  }
+
+  @Test
   public void testCreateACL() throws ZooKeeperConnectionException, IOException {
     Configuration conf = HBaseConfiguration.create();
     conf.set(Superusers.SUPERUSER_CONF_KEY, "user1,@group1,user2,@group2,user3");
@@ -48,10 +72,10 @@ public class TestZKUtil {
     ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
     List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
     Assert.assertEquals(aclList.size(), 4); // 3+1, since ACL will be set for the creator
by default
-    Assert.assertTrue(!aclList.contains(new ACL(Perms.ALL, new Id("auth", "@group1")))
-        && !aclList.contains(new ACL(Perms.ALL, new Id("auth", "@group2"))));
-    Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", "user1")))
-        && aclList.contains(new ACL(Perms.ALL, new Id("auth", "user2")))
-        && aclList.contains(new ACL(Perms.ALL, new Id("auth", "user3"))));
+    Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1"))));
+    Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group2"))));
+    Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user1"))));
+    Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user2"))));
+    Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user3"))));
   }
 }


Mime
View raw message