You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ap...@apache.org on 2014/09/15 05:29:33 UTC
[3/3] git commit: HBASE-11972 The doAs user used in the update to
hbase:acl table RPC is incorrect (Devaraj Das)
HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das)
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/8c4baf6a
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/8c4baf6a
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/8c4baf6a
Branch: refs/heads/master
Commit: 8c4baf6a8a459cf6d4732842db3d742b8e63e74c
Parents: 4018e85
Author: Andrew Purtell <ap...@apache.org>
Authored: Sun Sep 14 20:29:24 2014 -0700
Committer: Andrew Purtell <ap...@apache.org>
Committed: Sun Sep 14 20:29:24 2014 -0700
----------------------------------------------------------------------
.../org/apache/hadoop/hbase/security/User.java | 19 +++++++++++++++++++
.../hbase/security/access/AccessController.java | 17 +++++++++++++----
2 files changed, 32 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/8c4baf6a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
----------------------------------------------------------------------
diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
index 5abff9d..fd12e47 100644
--- a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
+++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
@@ -165,6 +165,25 @@ public abstract class User {
}
/**
+ * Executes the given action as the login user
+ * @param action
+ * @return
+ * @throws IOException
+ * @throws InterruptedException
+ */
+ @SuppressWarnings({ "rawtypes", "unchecked" })
+ public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException {
+ try {
+ Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");
+ Class [] types = new Class[]{PrivilegedExceptionAction.class};
+ Object[] args = new Object[]{action};
+ return (T) Methods.call(c, null, "doAsLoginUser", types, args);
+ } catch (Throwable e) {
+ throw new IOException(e);
+ }
+ }
+
+ /**
* Wraps an underlying {@code UserGroupInformation} instance.
* @param ugi The base Hadoop user
* @return User
http://git-wip-us.apache.org/repos/asf/hbase/blob/8c4baf6a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index fa87289..0ff0041 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -16,6 +16,7 @@ package org.apache.hadoop.hbase.security.access;
import java.io.IOException;
import java.net.InetAddress;
+import java.security.PrivilegedExceptionAction;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
@@ -881,7 +882,7 @@ public class AccessController extends BaseMasterAndRegionObserver
}
@Override
- public void postCreateTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
+ public void postCreateTableHandler(final ObserverContext<MasterCoprocessorEnvironment> c,
HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
// When AC is used, it should be configured as the 1st CP.
// In Master, the table operations like create, are handled by a Thread pool but the max size
@@ -910,9 +911,17 @@ public class AccessController extends BaseMasterAndRegionObserver
// default the table owner to current user, if not specified.
if (owner == null)
owner = getActiveUser().getShortName();
- UserPermission userperm = new UserPermission(Bytes.toBytes(owner), desc.getTableName(),
- null, Action.values());
- AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), userperm);
+ final UserPermission userperm = new UserPermission(Bytes.toBytes(owner),
+ desc.getTableName(), null, Action.values());
+ // switch to the real hbase master user for doing the RPC on the ACL table
+ User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(),
+ userperm);
+ return null;
+ }
+ });
}
}
}