hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <els...@apache.org>
Subject Re: Consult about the issue HBASE-18323
Date Tue, 11 Jul 2017 15:04:46 GMT
Shibin,

Please keep all communication on public forums (JIRA or mailing lists). 
This is very important to make sure that all parties interested can 
participate -- we do not want to be exclusionary.

To answer your question, your change below is half-way there:

Your change below would prevent any superuser from having an ACL set 
whereas you only want to prevent the hbase service user from having an 
ACL set twice. For each user in superUsers, add the ACL if and only if 
`user` is not `hbaseUser`.

You also need to have better error handling around the 
UGI.getCurrentUser() call (printing a stack trace to stdout is not 
sufficient).

On 7/11/17 1:48 AM, zhang.shibin@zte.com.cn wrote:
> Hi, as i understand ,i change the code like below , this will  keep 
> CREATOR_ALL_ACL semantically which is reasonable.
> 
> how about this ,if ok ,i will change the unit test and paste the patch
> 
> 
>   String[] superUsers = 
> zkw.getConfiguration().getStrings(Superusers.SUPERUSER_CONF_KEY);
> 
> * String hbaseUser = null;*
> 
> *      try {*
> 
> *            hbaseUser = 
> UserGroupInformation.getCurrentUser().getShortUserName();*
> 
> *      } catch (IOException e) {*
> 
> *          e.printStackTrace();*
> 
> *      }*
> 
>        if (superUsers != null) {
> 
>          List<String> groups = new ArrayList<>();
> 
>          for (String user : superUsers) {
> 
>            if (AuthUtil.isGroupPrincipal(user)) {
> 
>              // TODO: Set node ACL for groups when ZK supports this feature
> 
>              groups.add(user);
> 
>            } else {
> 
> *  if(!ArrayUtils.contains(superUsers,hbaseUser)) {*
> 
> *              acls.add(new ACL(Perms.ALL, new Id("sasl", user)));*
> 
> *            }*
> 
>            }
> 
>          }
> 
>          if (!groups.isEmpty()) {
> 
>            LOG.warn("Znode ACL setting for group " + groups
> 
>                + " is skipped, ZooKeeper doesn't support this feature 
> presently.");
> 
>          }
> 
>        }
> 
> 
> 
> 
> 
> 张世彬 zhang shibin
> 
> 
> IT开发工程师 IT Development Engineer
> 网管及服务开发一部/中心研究院/系统产品 Network Management & Service

> Development Dept. I/Central R&D Institute/System Product
> 
> 
> 	
> 南京市紫荆华路68号中兴通讯二期
> M: +8613611508957
> E: zhang.shibin@zte.com.cn
> www.zte.com.cn <http://www.zte.com.cn/>
> 
> 

Mime
View raw message