hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16773) AccessController should access local region if possible
Date Fri, 07 Oct 2016 16:54:21 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15555615#comment-15555615
] 

Ted Yu commented on HBASE-16773:
--------------------------------

Currently investigating why TestAccessController#testGrantRevoke fails in branch-1 with:
{code}
2016-10-07 09:36:24,767 DEBUG [RpcServer.FifoWFPBQ.priority.handler=7,queue=1,port=55271]
ipc.CallRunner(126): RpcServer.FifoWFPBQ.priority.handler=7,queue=1,port=55271: callId: 1
service:   ClientService methodName: ExecService size: 182 connection: 10.22.9.171:55394
java.io.IOException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions (user=owner, scope=hbase:acl, family=l:rouser,f1, params=[table=hbase:acl,family=l:
     rouser,f1],action=WRITE)
  at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:212)
  at org.apache.hadoop.hbase.security.access.AccessController.revoke(AccessController.java:2308)
  at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.revoke(AccessControlProtos.java:9941)
  at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10102)
  at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8083)
  at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2044)
  at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2026)
  at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:34954)
  at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2277)
  at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:123)
  at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:189)
  at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:169)
Caused by: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions
(user=owner, scope=hbase:acl, family=l:rouser,f1, params=[table=hbase:acl,family=l:rouser,f1],
    action=WRITE)
  at org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1726)
  at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:975)
  at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1674)
  at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1750)
  at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1706)
  at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:971)
  at org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook(HRegion.java:3008)
  at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2972)
  at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2918)
  at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2922)
  at org.apache.hadoop.hbase.regionserver.HRegion.doBatchMutate(HRegion.java:3694)
  at org.apache.hadoop.hbase.regionserver.HRegion.delete(HRegion.java:2698)
  at org.apache.hadoop.hbase.regionserver.RSRpcServices.mutate(RSRpcServices.java:2364)
  at org.apache.hadoop.hbase.client.HTable$4.call(HTable.java:994)
  at org.apache.hadoop.hbase.client.HTable$4.call(HTable.java:984)
  at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:137)
  at org.apache.hadoop.hbase.client.HTable.delete(HTable.java:1001)
  at org.apache.hadoop.hbase.client.HTableWrapper.delete(HTableWrapper.java:157)
  at org.apache.hadoop.hbase.security.access.AccessControlLists.removeUserPermission(AccessControlLists.java:204)
  at org.apache.hadoop.hbase.security.access.AccessController$9.run(AccessController.java:2311)
  at org.apache.hadoop.hbase.security.access.AccessController$9.run(AccessController.java:2308)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAs(Subject.java:422)
  at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1614)
  at org.apache.hadoop.security.SecurityUtil.doAsUser(SecurityUtil.java:444)
  at org.apache.hadoop.security.SecurityUtil.doAsLoginUser(SecurityUtil.java:425)
  at sun.reflect.GeneratedMethodAccessor51.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:498)
  at org.apache.hadoop.hbase.util.Methods.call(Methods.java:39)
  at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:210)
{code}

> AccessController should access local region if possible
> -------------------------------------------------------
>
>                 Key: HBASE-16773
>                 URL: https://issues.apache.org/jira/browse/HBASE-16773
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>         Attachments: 16773.branch-1.txt, 16773.v2.txt, 16773.v3.txt, 16773.v4.txt, 16773.v5.txt,
16773.v6.txt, 16773.v7.txt
>
>
> We observed the following in the stack trace of region server on a 1.1.2 cluster:
> {code}
> "PriorityRpcServer.handler=19,queue=1,port=60200" #225 daemon prio=5 os_prio=0 tid=0x00007fb562296000
nid=0x81c0 runnable [0x00007fb509a27000]
>    java.lang.Thread.State: RUNNABLE
>   at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)
>   at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:269)
>   at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:93)
>   at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:86)
>   - locked <0x00000003d4dfd770> (a sun.nio.ch.Util$2)
>   - locked <0x00000003d4dfd760> (a java.util.Collections$UnmodifiableSet)
>   - locked <0x00000003d4dfd648> (a sun.nio.ch.EPollSelectorImpl)
>   at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:97)
>   at org.apache.hadoop.net.SocketIOWithTimeout$SelectorPool.select(SocketIOWithTimeout.java:335)
>   at org.apache.hadoop.net.SocketIOWithTimeout.doIO(SocketIOWithTimeout.java:157)
>   at org.apache.hadoop.net.SocketInputStream.read(SocketInputStream.java:161)
>   at org.apache.hadoop.net.SocketInputStream.read(SocketInputStream.java:131)
>   at java.io.FilterInputStream.read(FilterInputStream.java:133)
>   at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
>   at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
>   - locked <0x00000003d7dae180> (a java.io.BufferedInputStream)
>   at java.io.DataInputStream.readInt(DataInputStream.java:387)
>   at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.readStatus(HBaseSaslRpcClient.java:151)
>   at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:189)
>   at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:611)
>   - locked <0x00000003d5c7edc0> (a org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection)
>   at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$600(RpcClientImpl.java:156)
>   at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:737)
>   at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:734)
>   at java.security.AccessController.doPrivileged(Native Method)
>   at javax.security.auth.Subject.doAs(Subject.java:422)
>   at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
>   at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
>   - locked <0x00000003d5c7edc0> (a org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection)
>   at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.writeRequest(RpcClientImpl.java:887)
>   at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.tracedWriteRequest(RpcClientImpl.java:856)
>   at org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1199)
>   at org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:213)
>   at org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:287)
>   at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingStub.get(ClientProtos.java:32627)
>   at org.apache.hadoop.hbase.client.HTable$3.call(HTable.java:854)
>   at org.apache.hadoop.hbase.client.HTable$3.call(HTable.java:845)
>   at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:126)
>   at org.apache.hadoop.hbase.client.HTable.get(HTable.java:862)
>   at org.apache.hadoop.hbase.client.HTable.get(HTable.java:828)
>   at org.apache.hadoop.hbase.security.access.AccessControlLists.getPermissions(AccessControlLists.java:461)
>   at org.apache.hadoop.hbase.security.access.AccessController.updateACL(AccessController.java:260)
>   at org.apache.hadoop.hbase.security.access.AccessController.postPut(AccessController.java:1661)
>   at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$32.call(RegionCoprocessorHost.java:940)
>   at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
>   at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
>   at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
>   at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.postPut(RegionCoprocessorHost.java:936)
>   at org.apache.hadoop.hbase.regionserver.HRegion.doMiniBatchMutation(HRegion.java:3287)
>   at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2902)
>   at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2844)
> {code}
> There were 20 threads stuck in the retrieval of permissions.
> AccessController shouldn't use Connection if getPermissions() can be satisfied by accessing
local hbase:acl region.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message