From commits-return-64571-archive-asf-public=cust-asf.ponee.io@hbase.apache.org Fri Jan 5 21:06:48 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 1CC41180647 for ; Fri, 5 Jan 2018 21:06:48 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 0C0B0160C15; Fri, 5 Jan 2018 20:06:48 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 80E50160C27 for ; Fri, 5 Jan 2018 21:06:46 +0100 (CET) Received: (qmail 41249 invoked by uid 500); 5 Jan 2018 20:06:45 -0000 Mailing-List: contact commits-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hbase.apache.org Delivered-To: mailing list commits@hbase.apache.org Received: (qmail 41239 invoked by uid 99); 5 Jan 2018 20:06:45 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Jan 2018 20:06:45 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 924D6DF965; Fri, 5 Jan 2018 20:06:41 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: tedyu@apache.org To: commits@hbase.apache.org Date: Fri, 05 Jan 2018 20:06:43 -0000 Message-Id: <9a49d8a80eca436482b349dff58e8662@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [3/3] hbase git commit: HBASE-19483 Add proper privilege check for rsgroup commands - revert due to pending review comment HBASE-19483 Add proper privilege check for rsgroup commands - revert due to pending review comment Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/5ce93511 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/5ce93511 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/5ce93511 Branch: refs/heads/master Commit: 5ce93511290d2bcf69e41d7ca5cec7464076d81d Parents: fc7736e Author: tedyu Authored: Fri Jan 5 12:06:31 2018 -0800 Committer: tedyu Committed: Fri Jan 5 12:06:31 2018 -0800 ---------------------------------------------------------------------- ...tegrationTestIngestWithVisibilityLabels.java | 7 +- ...egrationTestBigLinkedListWithVisibility.java | 7 +- ...tionTestWithCellVisibilityLoadAndVerify.java | 7 +- .../TestImportTSVWithVisibilityLabels.java | 6 +- .../hbase/rest/TestScannersWithLabels.java | 6 +- .../hbase/rsgroup/RSGroupAdminEndpoint.java | 115 +-- .../hadoop/hbase/master/MasterRpcServices.java | 3 +- .../hbase/security/access/AccessChecker.java | 333 --------- .../hbase/security/access/AccessController.java | 697 ++++++++++++------ .../visibility/VisibilityController.java | 13 +- .../hbase/security/access/SecureTestUtil.java | 6 - .../security/access/TestAccessController.java | 75 ++ .../security/visibility/VisibilityTestUtil.java | 3 +- ...TestThriftHBaseServiceHandlerWithLabels.java | 703 ++++++++++--------- .../asciidoc/_chapters/appendix_acl_matrix.adoc | 11 - src/main/asciidoc/_chapters/ops_mgt.adoc | 12 - src/main/asciidoc/_chapters/security.adoc | 36 - 17 files changed, 960 insertions(+), 1080 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/5ce93511/hbase-it/src/test/java/org/apache/hadoop/hbase/IntegrationTestIngestWithVisibilityLabels.java ---------------------------------------------------------------------- diff --git a/hbase-it/src/test/java/org/apache/hadoop/hbase/IntegrationTestIngestWithVisibilityLabels.java b/hbase-it/src/test/java/org/apache/hadoop/hbase/IntegrationTestIngestWithVisibilityLabels.java index 2928b6d..b7d8dad 100644 --- a/hbase-it/src/test/java/org/apache/hadoop/hbase/IntegrationTestIngestWithVisibilityLabels.java +++ b/hbase-it/src/test/java/org/apache/hadoop/hbase/IntegrationTestIngestWithVisibilityLabels.java @@ -23,10 +23,11 @@ import java.util.Arrays; import java.util.List; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.io.hfile.HFile; import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.visibility.LoadTestDataGeneratorWithVisibilityLabels; import org.apache.hadoop.hbase.security.visibility.VisibilityClient; -import org.apache.hadoop.hbase.security.visibility.VisibilityTestUtil; +import org.apache.hadoop.hbase.security.visibility.VisibilityController; import org.apache.hadoop.hbase.testclassification.IntegrationTests; import org.apache.hadoop.hbase.util.LoadTestTool; import org.junit.experimental.categories.Category; @@ -75,7 +76,9 @@ public class IntegrationTestIngestWithVisibilityLabels extends IntegrationTestIn public void setUpCluster() throws Exception { util = getTestingUtil(null); Configuration conf = util.getConfiguration(); - VisibilityTestUtil.enableVisiblityLabels(conf); + conf.setInt(HFile.FORMAT_VERSION_KEY, 3); + conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName()); + conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName()); conf.set("hbase.superuser", "admin," + User.getCurrent().getName()); super.setUpCluster(); addLabels(); http://git-wip-us.apache.org/repos/asf/hbase/blob/5ce93511/hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestBigLinkedListWithVisibility.java ---------------------------------------------------------------------- diff --git a/hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestBigLinkedListWithVisibility.java b/hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestBigLinkedListWithVisibility.java index 9349f7b..d0e6e52 100644 --- a/hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestBigLinkedListWithVisibility.java +++ b/hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestBigLinkedListWithVisibility.java @@ -47,6 +47,7 @@ import org.apache.hadoop.hbase.client.Put; import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.Scan; import org.apache.hadoop.hbase.io.ImmutableBytesWritable; +import org.apache.hadoop.hbase.io.hfile.HFile; import org.apache.hadoop.hbase.log.HBaseMarkers; import org.apache.hadoop.hbase.mapreduce.Import; import org.apache.hadoop.hbase.mapreduce.TableMapReduceUtil; @@ -56,7 +57,7 @@ import org.apache.hadoop.hbase.security.access.Permission; import org.apache.hadoop.hbase.security.visibility.Authorizations; import org.apache.hadoop.hbase.security.visibility.CellVisibility; import org.apache.hadoop.hbase.security.visibility.VisibilityClient; -import org.apache.hadoop.hbase.security.visibility.VisibilityTestUtil; +import org.apache.hadoop.hbase.security.visibility.VisibilityController; import org.apache.hadoop.hbase.testclassification.IntegrationTests; import org.apache.hadoop.hbase.util.AbstractHBaseTool; import org.apache.hadoop.hbase.util.Bytes; @@ -372,7 +373,9 @@ public class IntegrationTestBigLinkedListWithVisibility extends IntegrationTestB public void setUpCluster() throws Exception { util = getTestingUtil(null); Configuration conf = util.getConfiguration(); - VisibilityTestUtil.enableVisiblityLabels(conf); + conf.setInt(HFile.FORMAT_VERSION_KEY, 3); + conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName()); + conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName()); conf.set("hbase.superuser", User.getCurrent().getName()); conf.setBoolean("dfs.permissions", false); USER = User.createUserForTesting(conf, userName, new String[] {}); http://git-wip-us.apache.org/repos/asf/hbase/blob/5ce93511/hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestWithCellVisibilityLoadAndVerify.java ---------------------------------------------------------------------- diff --git a/hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestWithCellVisibilityLoadAndVerify.java b/hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestWithCellVisibilityLoadAndVerify.java index 32c1ddd..3f97fbb 100644 --- a/hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestWithCellVisibilityLoadAndVerify.java +++ b/hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestWithCellVisibilityLoadAndVerify.java @@ -40,6 +40,7 @@ import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.Scan; import org.apache.hadoop.hbase.client.ScannerCallable; import org.apache.hadoop.hbase.io.ImmutableBytesWritable; +import org.apache.hadoop.hbase.io.hfile.HFile; import org.apache.hadoop.hbase.mapreduce.TableMapReduceUtil; import org.apache.hadoop.hbase.mapreduce.TableMapper; import org.apache.hadoop.hbase.mapreduce.TableRecordReaderImpl; @@ -47,7 +48,7 @@ import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.visibility.Authorizations; import org.apache.hadoop.hbase.security.visibility.CellVisibility; import org.apache.hadoop.hbase.security.visibility.VisibilityClient; -import org.apache.hadoop.hbase.security.visibility.VisibilityTestUtil; +import org.apache.hadoop.hbase.security.visibility.VisibilityController; import org.apache.hadoop.hbase.testclassification.IntegrationTests; import org.apache.hadoop.hbase.util.AbstractHBaseTool; import org.apache.hadoop.hbase.util.Bytes; @@ -115,7 +116,9 @@ public class IntegrationTestWithCellVisibilityLoadAndVerify extends IntegrationT public void setUpCluster() throws Exception { util = getTestingUtil(null); Configuration conf = util.getConfiguration(); - VisibilityTestUtil.enableVisiblityLabels(conf); + conf.setInt(HFile.FORMAT_VERSION_KEY, 3); + conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName()); + conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName()); conf.set("hbase.superuser", User.getCurrent().getName()); conf.setBoolean("dfs.permissions", false); super.setUpCluster(); http://git-wip-us.apache.org/repos/asf/hbase/blob/5ce93511/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/mapreduce/TestImportTSVWithVisibilityLabels.java ---------------------------------------------------------------------- diff --git a/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/mapreduce/TestImportTSVWithVisibilityLabels.java b/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/mapreduce/TestImportTSVWithVisibilityLabels.java index 6d6b729..8d3f3df 100644 --- a/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/mapreduce/TestImportTSVWithVisibilityLabels.java +++ b/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/mapreduce/TestImportTSVWithVisibilityLabels.java @@ -58,7 +58,7 @@ import org.apache.hadoop.hbase.security.visibility.ScanLabelGenerator; import org.apache.hadoop.hbase.security.visibility.SimpleScanLabelGenerator; import org.apache.hadoop.hbase.security.visibility.VisibilityClient; import org.apache.hadoop.hbase.security.visibility.VisibilityConstants; -import org.apache.hadoop.hbase.security.visibility.VisibilityTestUtil; +import org.apache.hadoop.hbase.security.visibility.VisibilityController; import org.apache.hadoop.hbase.security.visibility.VisibilityUtils; import org.apache.hadoop.hbase.testclassification.LargeTests; import org.apache.hadoop.hbase.testclassification.MapReduceTests; @@ -121,7 +121,9 @@ public class TestImportTSVWithVisibilityLabels implements Configurable { conf = util.getConfiguration(); SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); conf.set("hbase.superuser", "admin,"+User.getCurrent().getName()); - VisibilityTestUtil.enableVisiblityLabels(conf); + conf.setInt("hfile.format.version", 3); + conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName()); + conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName()); conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class, ScanLabelGenerator.class); util.startMiniCluster(); http://git-wip-us.apache.org/repos/asf/hbase/blob/5ce93511/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/TestScannersWithLabels.java ---------------------------------------------------------------------- diff --git a/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/TestScannersWithLabels.java b/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/TestScannersWithLabels.java index 8d738ed..6ac8e87 100644 --- a/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/TestScannersWithLabels.java +++ b/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/TestScannersWithLabels.java @@ -43,7 +43,7 @@ import org.apache.hadoop.hbase.security.visibility.ScanLabelGenerator; import org.apache.hadoop.hbase.security.visibility.SimpleScanLabelGenerator; import org.apache.hadoop.hbase.security.visibility.VisibilityClient; import org.apache.hadoop.hbase.security.visibility.VisibilityConstants; -import org.apache.hadoop.hbase.security.visibility.VisibilityTestUtil; +import org.apache.hadoop.hbase.security.visibility.VisibilityController; import org.apache.hadoop.hbase.security.visibility.VisibilityUtils; import org.apache.hadoop.hbase.testclassification.MediumTests; import org.apache.hadoop.hbase.testclassification.RestTests; @@ -130,8 +130,10 @@ public class TestScannersWithLabels { conf = TEST_UTIL.getConfiguration(); conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class, ScanLabelGenerator.class); + conf.setInt("hfile.format.version", 3); conf.set("hbase.superuser", SUPERUSER.getShortName()); - VisibilityTestUtil.enableVisiblityLabels(conf); + conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName()); + conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName()); TEST_UTIL.startMiniCluster(1); // Wait for the labels table to become available TEST_UTIL.waitTableEnabled(VisibilityConstants.LABELS_TABLE_NAME.getName(), 50000); http://git-wip-us.apache.org/repos/asf/hbase/blob/5ce93511/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminEndpoint.java ---------------------------------------------------------------------- diff --git a/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminEndpoint.java b/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminEndpoint.java index 964b5da..7e148e0 100644 --- a/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminEndpoint.java +++ b/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminEndpoint.java @@ -46,7 +46,6 @@ import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment; import org.apache.hadoop.hbase.coprocessor.MasterObserver; import org.apache.hadoop.hbase.coprocessor.ObserverContext; import org.apache.hadoop.hbase.ipc.CoprocessorRpcUtils; -import org.apache.hadoop.hbase.ipc.RpcServer; import org.apache.hadoop.hbase.master.MasterServices; import org.apache.hadoop.hbase.net.Address; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; @@ -75,11 +74,6 @@ import org.apache.hadoop.hbase.protobuf.generated.RSGroupAdminProtos.RemoveRSGro import org.apache.hadoop.hbase.protobuf.generated.RSGroupAdminProtos.RemoveRSGroupResponse; import org.apache.hadoop.hbase.protobuf.generated.RSGroupAdminProtos.RemoveServersRequest; import org.apache.hadoop.hbase.protobuf.generated.RSGroupAdminProtos.RemoveServersResponse; -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.UserProvider; -import org.apache.hadoop.hbase.security.access.AccessChecker; -import org.apache.hadoop.hbase.security.access.Permission.Action; -import org.apache.hadoop.hbase.zookeeper.ZKWatcher; import org.apache.yetus.audience.InterfaceAudience; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -98,17 +92,12 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { private RSGroupInfoManager groupInfoManager; private RSGroupAdminServer groupAdminServer; private final RSGroupAdminService groupAdminService = new RSGroupAdminServiceImpl(); - private AccessChecker accessChecker; - - /** Provider for mapping principal names to Users */ - private UserProvider userProvider; @Override public void start(CoprocessorEnvironment env) throws IOException { if (!(env instanceof HasMasterServices)) { throw new IOException("Does not implement HMasterServices"); } - master = ((HasMasterServices)env).getMasterServices(); groupInfoManager = RSGroupInfoManagerImpl.getInstance(master); groupAdminServer = new RSGroupAdminServer(master, groupInfoManager); @@ -117,11 +106,6 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { if (!RSGroupableBalancer.class.isAssignableFrom(clazz)) { throw new IOException("Configured balancer does not support RegionServer groups."); } - ZKWatcher zk = ((HasMasterServices)env).getMasterServices().getZooKeeper(); - accessChecker = new AccessChecker(env.getConfiguration(), zk); - - // set the user-provider. - this.userProvider = UserProvider.instantiate(env.getConfiguration()); } @Override @@ -153,7 +137,6 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { LOG.info(master.getClientIdAuditPrefix() + " initiates rsgroup info retrieval, group=" + groupName); try { - checkPermission("getRSGroupInfo"); RSGroupInfo rsGroupInfo = groupAdminServer.getRSGroupInfo(groupName); if (rsGroupInfo != null) { builder.setRSGroupInfo(RSGroupProtobufUtil.toProtoGroupInfo(rsGroupInfo)); @@ -168,11 +151,10 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { public void getRSGroupInfoOfTable(RpcController controller, GetRSGroupInfoOfTableRequest request, RpcCallback done) { GetRSGroupInfoOfTableResponse.Builder builder = GetRSGroupInfoOfTableResponse.newBuilder(); - TableName tableName = ProtobufUtil.toTableName(request.getTableName()); - LOG.info(master.getClientIdAuditPrefix() + " initiates rsgroup info retrieval, table=" - + tableName); try { - checkPermission("getRSGroupInfoOfTable"); + TableName tableName = ProtobufUtil.toTableName(request.getTableName()); + LOG.info(master.getClientIdAuditPrefix() + " initiates rsgroup info retrieval, table=" + + tableName); RSGroupInfo RSGroupInfo = groupAdminServer.getRSGroupInfoOfTable(tableName); if (RSGroupInfo != null) { builder.setRSGroupInfo(RSGroupProtobufUtil.toProtoGroupInfo(RSGroupInfo)); @@ -187,14 +169,13 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { public void moveServers(RpcController controller, MoveServersRequest request, RpcCallback done) { MoveServersResponse.Builder builder = MoveServersResponse.newBuilder(); - Set
hostPorts = Sets.newHashSet(); - for (HBaseProtos.ServerName el : request.getServersList()) { - hostPorts.add(Address.fromParts(el.getHostName(), el.getPort())); - } - LOG.info(master.getClientIdAuditPrefix() + " move servers " + hostPorts +" to rsgroup " - + request.getTargetGroup()); try { - checkPermission("moveServers"); + Set
hostPorts = Sets.newHashSet(); + for (HBaseProtos.ServerName el : request.getServersList()) { + hostPorts.add(Address.fromParts(el.getHostName(), el.getPort())); + } + LOG.info(master.getClientIdAuditPrefix() + " move servers " + hostPorts +" to rsgroup " + + request.getTargetGroup()); groupAdminServer.moveServers(hostPorts, request.getTargetGroup()); } catch (IOException e) { CoprocessorRpcUtils.setControllerException(controller, e); @@ -206,14 +187,13 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { public void moveTables(RpcController controller, MoveTablesRequest request, RpcCallback done) { MoveTablesResponse.Builder builder = MoveTablesResponse.newBuilder(); - Set tables = new HashSet<>(request.getTableNameList().size()); - for (HBaseProtos.TableName tableName : request.getTableNameList()) { - tables.add(ProtobufUtil.toTableName(tableName)); - } - LOG.info(master.getClientIdAuditPrefix() + " move tables " + tables +" to rsgroup " - + request.getTargetGroup()); try { - checkPermission("moveTables"); + Set tables = new HashSet<>(request.getTableNameList().size()); + for (HBaseProtos.TableName tableName : request.getTableNameList()) { + tables.add(ProtobufUtil.toTableName(tableName)); + } + LOG.info(master.getClientIdAuditPrefix() + " move tables " + tables +" to rsgroup " + + request.getTargetGroup()); groupAdminServer.moveTables(tables, request.getTargetGroup()); } catch (IOException e) { CoprocessorRpcUtils.setControllerException(controller, e); @@ -227,7 +207,6 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { AddRSGroupResponse.Builder builder = AddRSGroupResponse.newBuilder(); LOG.info(master.getClientIdAuditPrefix() + " add rsgroup " + request.getRSGroupName()); try { - checkPermission("addRSGroup"); groupAdminServer.addRSGroup(request.getRSGroupName()); } catch (IOException e) { CoprocessorRpcUtils.setControllerException(controller, e); @@ -242,7 +221,6 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { RemoveRSGroupResponse.newBuilder(); LOG.info(master.getClientIdAuditPrefix() + " remove rsgroup " + request.getRSGroupName()); try { - checkPermission("removeRSGroup"); groupAdminServer.removeRSGroup(request.getRSGroupName()); } catch (IOException e) { CoprocessorRpcUtils.setControllerException(controller, e); @@ -257,7 +235,6 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { LOG.info(master.getClientIdAuditPrefix() + " balance rsgroup, group=" + request.getRSGroupName()); try { - checkPermission("balanceRSGroup"); builder.setBalanceRan(groupAdminServer.balanceRSGroup(request.getRSGroupName())); } catch (IOException e) { CoprocessorRpcUtils.setControllerException(controller, e); @@ -272,7 +249,6 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { ListRSGroupInfosResponse.Builder builder = ListRSGroupInfosResponse.newBuilder(); LOG.info(master.getClientIdAuditPrefix() + " list rsgroup"); try { - checkPermission("listRSGroup"); for (RSGroupInfo RSGroupInfo : groupAdminServer.listRSGroups()) { builder.addRSGroupInfo(RSGroupProtobufUtil.toProtoGroupInfo(RSGroupInfo)); } @@ -286,12 +262,11 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { public void getRSGroupInfoOfServer(RpcController controller, GetRSGroupInfoOfServerRequest request, RpcCallback done) { GetRSGroupInfoOfServerResponse.Builder builder = GetRSGroupInfoOfServerResponse.newBuilder(); - Address hp = Address.fromParts(request.getServer().getHostName(), - request.getServer().getPort()); - LOG.info(master.getClientIdAuditPrefix() + " initiates rsgroup info retrieval, server=" - + hp); try { - checkPermission("getRSGroupInfoOfServer"); + Address hp = Address.fromParts(request.getServer().getHostName(), + request.getServer().getPort()); + LOG.info(master.getClientIdAuditPrefix() + " initiates rsgroup info retrieval, server=" + + hp); RSGroupInfo RSGroupInfo = groupAdminServer.getRSGroupOfServer(hp); if (RSGroupInfo != null) { builder.setRSGroupInfo(RSGroupProtobufUtil.toProtoGroupInfo(RSGroupInfo)); @@ -306,18 +281,17 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { public void moveServersAndTables(RpcController controller, MoveServersAndTablesRequest request, RpcCallback done) { MoveServersAndTablesResponse.Builder builder = MoveServersAndTablesResponse.newBuilder(); - Set
hostPorts = Sets.newHashSet(); - for (HBaseProtos.ServerName el : request.getServersList()) { - hostPorts.add(Address.fromParts(el.getHostName(), el.getPort())); - } - Set tables = new HashSet<>(request.getTableNameList().size()); - for (HBaseProtos.TableName tableName : request.getTableNameList()) { - tables.add(ProtobufUtil.toTableName(tableName)); - } - LOG.info(master.getClientIdAuditPrefix() + " move servers " + hostPorts - + " and tables " + tables + " to rsgroup" + request.getTargetGroup()); try { - checkPermission("moveServersAndTables"); + Set
hostPorts = Sets.newHashSet(); + for (HBaseProtos.ServerName el : request.getServersList()) { + hostPorts.add(Address.fromParts(el.getHostName(), el.getPort())); + } + Set tables = new HashSet<>(request.getTableNameList().size()); + for (HBaseProtos.TableName tableName : request.getTableNameList()) { + tables.add(ProtobufUtil.toTableName(tableName)); + } + LOG.info(master.getClientIdAuditPrefix() + " move servers " + hostPorts + + " and tables " + tables + " to rsgroup" + request.getTargetGroup()); groupAdminServer.moveServersAndTables(hostPorts, tables, request.getTargetGroup()); } catch (IOException e) { CoprocessorRpcUtils.setControllerException(controller, e); @@ -331,14 +305,13 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { RpcCallback done) { RemoveServersResponse.Builder builder = RemoveServersResponse.newBuilder(); - Set
servers = Sets.newHashSet(); - for (HBaseProtos.ServerName el : request.getServersList()) { - servers.add(Address.fromParts(el.getHostName(), el.getPort())); - } - LOG.info(master.getClientIdAuditPrefix() - + " remove decommissioned servers from rsgroup: " + servers); try { - checkPermission("removeServers"); + Set
servers = Sets.newHashSet(); + for (HBaseProtos.ServerName el : request.getServersList()) { + servers.add(Address.fromParts(el.getHostName(), el.getPort())); + } + LOG.info(master.getClientIdAuditPrefix() + + " remove decommissioned servers from rsgroup: " + servers); groupAdminServer.removeServers(servers); } catch (IOException e) { CoprocessorRpcUtils.setControllerException(controller, e); @@ -424,21 +397,5 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver { groupAdminServer.removeServers(clearedServer); } - private void checkPermission(String request) throws IOException { - accessChecker.requirePermission(getActiveUser(), request, Action.ADMIN); - } - - /** - * Returns the active user to which authorization checks should be applied. - * If we are in the context of an RPC call, the remote user is used, - * otherwise the currently logged in user is used. - */ - public User getActiveUser() throws IOException { - // for non-rpc handling, fallback to system user - Optional optionalUser = RpcServer.getRequestUser(); - if (optionalUser.isPresent()) { - return optionalUser.get(); - } - return userProvider.getCurrent(); - } + ///////////////////////////////////////////////////////////////////////////// } http://git-wip-us.apache.org/repos/asf/hbase/blob/5ce93511/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java index 907ca9b..8f41e4f 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java @@ -83,7 +83,6 @@ import org.apache.hadoop.hbase.replication.ReplicationException; import org.apache.hadoop.hbase.replication.ReplicationPeerConfig; import org.apache.hadoop.hbase.replication.ReplicationPeerDescription; import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.AccessChecker; import org.apache.hadoop.hbase.security.access.AccessController; import org.apache.hadoop.hbase.security.visibility.VisibilityController; import org.apache.hadoop.hbase.snapshot.ClientSnapshotDescriptionUtils; @@ -1811,7 +1810,7 @@ public class MasterRpcServices extends RSRpcServices // A coprocessor that implements AccessControlService can provide AUTHORIZATION and // CELL_AUTHORIZATION if (master.cpHost != null && hasAccessControlServiceCoprocessor(master.cpHost)) { - if (AccessChecker.isAuthorizationSupported(master.getConfiguration())) { + if (AccessController.isAuthorizationSupported(master.getConfiguration())) { capabilities.add(SecurityCapabilitiesResponse.Capability.AUTHORIZATION); } if (AccessController.isCellAuthorizationSupported(master.getConfiguration())) { http://git-wip-us.apache.org/repos/asf/hbase/blob/5ce93511/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java deleted file mode 100644 index 2a7373e..0000000 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java +++ /dev/null @@ -1,333 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.hadoop.hbase.security.access; - -import java.io.IOException; -import java.net.InetAddress; -import java.util.Collection; -import java.util.Map; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.hbase.DoNotRetryIOException; -import org.apache.hadoop.hbase.TableName; -import org.apache.hadoop.hbase.client.RegionInfo; -import org.apache.hadoop.hbase.ipc.RpcServer; -import org.apache.hadoop.hbase.security.AccessDeniedException; -import org.apache.hadoop.hbase.security.User; -import org.apache.hadoop.hbase.security.access.Permission.Action; -import org.apache.hadoop.hbase.zookeeper.ZKWatcher; -import org.apache.yetus.audience.InterfaceAudience; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -@InterfaceAudience.Private -public final class AccessChecker { - private static final Logger AUDITLOG = - LoggerFactory.getLogger("SecurityLogger." + AccessChecker.class.getName()); - private TableAuthManager authManager; - /** - * if we are active, usually false, only true if "hbase.security.authorization" - * has been set to true in site configuration.see HBASE-19483. - */ - private boolean authorizationEnabled; - - public static boolean isAuthorizationSupported(Configuration conf) { - return conf.getBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, false); - } - - /** - * Constructor with existing configuration - * - * @param conf Existing configuration to use - * @param zkw reference to the {@link ZKWatcher} - * @return the AccessChecker instance - */ - public AccessChecker(final Configuration conf, final ZKWatcher zkw) - throws RuntimeException { - // If zk is null or IOException while obtaining auth manager, - // throw RuntimeException so that the coprocessor is unloaded. - if (zkw != null) { - try { - this.authManager = TableAuthManager.getOrCreate(zkw, conf); - } catch (IOException ioe) { - throw new RuntimeException("Error obtaining AccessChecker", ioe); - } - } else { - throw new NullPointerException("Error obtaining AccessChecker, zk found null."); - } - authorizationEnabled = isAuthorizationSupported(conf); - } - - public TableAuthManager getAuthManager() { - return authManager; - } - - /** - * Authorizes that the current user has any of the given permissions to access the table. - * - * @param tableName Table requested - * @param permissions Actions being requested - * @throws IOException if obtaining the current user fails - * @throws AccessDeniedException if user has no authorization - */ - public void requireAccess(User user, String request, TableName tableName, - Action... permissions) throws IOException { - AuthResult result = null; - - for (Action permission : permissions) { - if (authManager.hasAccess(user, tableName, permission)) { - result = AuthResult.allow(request, "Table permission granted", - user, permission, tableName, null, null); - break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", - user, permission, tableName, null, null); - } - } - logResult(result); - if (authorizationEnabled && !result.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); - } - } - - /** - * Authorizes that the current user has global privileges for the given action. - * - * @param perm The action being requested - * @throws IOException if obtaining the current user fails - * @throws AccessDeniedException if authorization is denied - */ - public void requirePermission(User user, String request, Action perm) - throws IOException { - requireGlobalPermission(user, request, perm, null, null); - } - - /** - * Checks that the user has the given global permission. The generated - * audit log message will contain context information for the operation - * being authorized, based on the given parameters. - * - * @param perm Action being requested - * @param tableName Affected table name. - * @param familyMap Affected column families. - */ - public void requireGlobalPermission(User user, String request, - Action perm, TableName tableName, - Map> familyMap)throws IOException { - AuthResult result; - if (authManager.authorize(user, perm)) { - result = AuthResult.allow(request, "Global check allowed", - user, perm, tableName, familyMap); - result.getParams().setTableName(tableName).setFamilies(familyMap); - logResult(result); - } else { - result = AuthResult.deny(request, "Global check failed", - user, perm, tableName, familyMap); - result.getParams().setTableName(tableName).setFamilies(familyMap); - logResult(result); - if (authorizationEnabled) { - throw new AccessDeniedException( - "Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") - + "' (global, action=" + perm.toString() + ")"); - } - } - } - - /** - * Checks that the user has the given global permission. The generated - * audit log message will contain context information for the operation - * being authorized, based on the given parameters. - * - * @param perm Action being requested - * @param namespace The given namespace - */ - public void requireGlobalPermission(User user, String request, Action perm, - String namespace) throws IOException { - AuthResult authResult; - if (authManager.authorize(user, perm)) { - authResult = AuthResult.allow(request, "Global check allowed", - user, perm, null); - authResult.getParams().setNamespace(namespace); - logResult(authResult); - } else { - authResult = AuthResult.deny(request, "Global check failed", - user, perm, null); - authResult.getParams().setNamespace(namespace); - logResult(authResult); - if (authorizationEnabled) { - throw new AccessDeniedException( - "Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") - + "' (global, action=" + perm.toString() + ")"); - } - } - } - - /** - * Checks that the user has the given global or namespace permission. - * - * @param namespace The given namespace - * @param permissions Actions being requested - */ - public void requireNamespacePermission(User user, String request, String namespace, - Action... permissions) throws IOException { - AuthResult result = null; - - for (Action permission : permissions) { - if (authManager.authorize(user, namespace, permission)) { - result = - AuthResult.allow(request, "Namespace permission granted", - user, permission, namespace); - break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", - user, permission, namespace); - } - } - logResult(result); - if (authorizationEnabled && !result.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); - } - } - - /** - * Checks that the user has the given global or namespace permission. - * - * @param namespace The given namespace - * @param permissions Actions being requested - */ - public void requireNamespacePermission(User user, String request, String namespace, - TableName tableName, Map> familyMap, - Action... permissions) throws IOException { - AuthResult result = null; - - for (Action permission : permissions) { - if (authManager.authorize(user, namespace, permission)) { - result = - AuthResult.allow(request, "Namespace permission granted", - user, permission, namespace); - result.getParams().setTableName(tableName).setFamilies(familyMap); - break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", - user, permission, namespace); - result.getParams().setTableName(tableName).setFamilies(familyMap); - } - } - logResult(result); - if (authorizationEnabled && !result.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); - } - } - - /** - * Authorizes that the current user has any of the given permissions for the - * given table, column family and column qualifier. - * - * @param tableName Table requested - * @param family Column family requested - * @param qualifier Column qualifier requested - * @throws IOException if obtaining the current user fails - * @throws AccessDeniedException if user has no authorization - */ - public void requirePermission(User user, String request, TableName tableName, byte[] family, - byte[] qualifier, Action... permissions) throws IOException { - AuthResult result = null; - - for (Action permission : permissions) { - if (authManager.authorize(user, tableName, family, qualifier, permission)) { - result = AuthResult.allow(request, "Table permission granted", - user, permission, tableName, family, - qualifier); - break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", - user, permission, tableName, family, - qualifier); - } - } - logResult(result); - if (authorizationEnabled && !result.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); - } - } - - /** - * Authorizes that the current user has any of the given permissions for the - * given table, column family and column qualifier. - * - * @param tableName Table requested - * @param family Column family param - * @param qualifier Column qualifier param - * @throws IOException if obtaining the current user fails - * @throws AccessDeniedException if user has no authorization - */ - public void requireTablePermission(User user, String request, - TableName tableName,byte[] family, byte[] qualifier, - Action... permissions) throws IOException { - AuthResult result = null; - - for (Action permission : permissions) { - if (authManager.authorize(user, tableName, null, null, permission)) { - result = AuthResult.allow(request, "Table permission granted", - user, permission, tableName, null, null); - result.getParams().setFamily(family).setQualifier(qualifier); - break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", - user, permission, tableName, family, qualifier); - result.getParams().setFamily(family).setQualifier(qualifier); - } - } - logResult(result); - if (authorizationEnabled && !result.isAllowed()) { - throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); - } - } - - public void checkLockPermissions(User user, String namespace, - TableName tableName, RegionInfo[] regionInfos, String reason) - throws IOException { - if (namespace != null && !namespace.isEmpty()) { - requireNamespacePermission(user, reason, namespace, Action.ADMIN, Action.CREATE); - } else if (tableName != null || (regionInfos != null && regionInfos.length > 0)) { - // So, either a table or regions op. If latter, check perms ons table. - TableName tn = tableName != null? tableName: regionInfos[0].getTable(); - requireTablePermission(user, reason, tn, null, null, - Action.ADMIN, Action.CREATE); - } else { - throw new DoNotRetryIOException("Invalid lock level when requesting permissions."); - } - } - - public static void logResult(AuthResult result) { - if (AUDITLOG.isTraceEnabled()) { - AUDITLOG.trace("Access " + (result.isAllowed() ? "allowed" : "denied") + " for user " + ( - result.getUser() != null ? - result.getUser().getShortName() : - "UNKNOWN") + "; reason: " + result.getReason() + "; remote address: " - + RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("") - + "; request: " + result.getRequest() + "; context: " + result.toContextString()); - } - } -} \ No newline at end of file