hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guanghao Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-19334) User.runAsLoginUser not work in AccessController because it use a short circuited connection
Date Thu, 23 Nov 2017 23:27:00 GMT

    [ https://issues.apache.org/jira/browse/HBASE-19334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16264841#comment-16264841

Guanghao Zhang commented on HBASE-19334:

bq, Now the code is using new getConnection() which reuses the initial cluster connection
(short circuited) in RS. For this the user is always the super user who started RS process.
I thought you misunderstand what I said. The user was stored by a threadlocal variable. If
a user A call grant method and then use short curcuited connection to bypass rpc. Then the
user still is user A. So User.runAsLoginUser not work. You can try replace put(List) API with
put(Put) and run TestAccessControl* test to see the result.

> User.runAsLoginUser not work in AccessController because it use a short circuited connection
> --------------------------------------------------------------------------------------------
>                 Key: HBASE-19334
>                 URL: https://issues.apache.org/jira/browse/HBASE-19334
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Guanghao Zhang
>            Assignee: Guanghao Zhang
>         Attachments: HBASE-19334.master.001.patch
> The short-circuited connection will bypass the RPC and the RPC context didn't change.
So it still use the old RPC user to write ACL table and User.runAsLoginUser not work.
> AccessController's grant method.
> {code}
>         User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
>           @Override
>           public Void run() throws Exception {
>             // regionEnv is set at #start. Hopefully not null at this point.
>             try (Table table = regionEnv.getConnection().
>                 getTable(AccessControlLists.ACL_TABLE_NAME)) {
>               AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm,
>                   request.getMergeExistingPermissions());
>             }
>             return null;
>           }
>         });
> {code}

This message was sent by Atlassian JIRA

View raw message