Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id CB2D1200D54 for ; Fri, 24 Nov 2017 00:27:07 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id C0D48160C10; Thu, 23 Nov 2017 23:27:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 12F25160BFE for ; Fri, 24 Nov 2017 00:27:06 +0100 (CET) Received: (qmail 64314 invoked by uid 500); 23 Nov 2017 23:27:06 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 64303 invoked by uid 99); 23 Nov 2017 23:27:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Nov 2017 23:27:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 40BB91807B2 for ; Thu, 23 Nov 2017 23:27:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id bbvWBeQQLe4a for ; Thu, 23 Nov 2017 23:27:04 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id BF29A5FBB1 for ; Thu, 23 Nov 2017 23:27:03 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 53ECEE0248 for ; Thu, 23 Nov 2017 23:27:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1AE1B241A0 for ; Thu, 23 Nov 2017 23:27:00 +0000 (UTC) Date: Thu, 23 Nov 2017 23:27:00 +0000 (UTC) From: "Guanghao Zhang (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-19334) User.runAsLoginUser not work in AccessController because it use a short circuited connection MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 23 Nov 2017 23:27:08 -0000 [ https://issues.apache.org/jira/browse/HBASE-19334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16264841#comment-16264841 ] Guanghao Zhang commented on HBASE-19334: ---------------------------------------- bq, Now the code is using new getConnection() which reuses the initial cluster connection (short circuited) in RS. For this the user is always the super user who started RS process. I thought you misunderstand what I said. The user was stored by a threadlocal variable. If a user A call grant method and then use short curcuited connection to bypass rpc. Then the user still is user A. So User.runAsLoginUser not work. You can try replace put(List) API with put(Put) and run TestAccessControl* test to see the result. > User.runAsLoginUser not work in AccessController because it use a short circuited connection > -------------------------------------------------------------------------------------------- > > Key: HBASE-19334 > URL: https://issues.apache.org/jira/browse/HBASE-19334 > Project: HBase > Issue Type: Bug > Reporter: Guanghao Zhang > Assignee: Guanghao Zhang > Attachments: HBASE-19334.master.001.patch > > > The short-circuited connection will bypass the RPC and the RPC context didn't change. So it still use the old RPC user to write ACL table and User.runAsLoginUser not work. > AccessController's grant method. > {code} > User.runAsLoginUser(new PrivilegedExceptionAction() { > @Override > public Void run() throws Exception { > // regionEnv is set at #start. Hopefully not null at this point. > try (Table table = regionEnv.getConnection(). > getTable(AccessControlLists.ACL_TABLE_NAME)) { > AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm, table, > request.getMergeExistingPermissions()); > } > return null; > } > }); > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029)