You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by st...@apache.org on 2014/12/28 06:12:07 UTC
hbase git commit: HBASE-12641 Grant all permissions of hbase
zookeeper node to hbase superuser in a secure cluster (Liu Shaohui)
Repository: hbase
Updated Branches:
refs/heads/master 9abab54d8 -> a8766fd62
HBASE-12641 Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster (Liu Shaohui)
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/a8766fd6
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/a8766fd6
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/a8766fd6
Branch: refs/heads/master
Commit: a8766fd623e5679b13600646ac2808e733f98d07
Parents: 9abab54
Author: stack <st...@apache.org>
Authored: Sat Dec 27 21:11:57 2014 -0800
Committer: stack <st...@apache.org>
Committed: Sat Dec 27 21:11:57 2014 -0800
----------------------------------------------------------------------
.../apache/hadoop/hbase/zookeeper/ZKUtil.java | 20 +++++++++++++++++---
.../hbase/zookeeper/ZooKeeperWatcher.java | 5 -----
2 files changed, 17 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/a8766fd6/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index da0d8b2..64f75c4 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -61,9 +61,11 @@ import org.apache.zookeeper.KeeperException.NoNodeException;
import org.apache.zookeeper.Op;
import org.apache.zookeeper.Watcher;
import org.apache.zookeeper.ZooDefs.Ids;
+import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.client.ZooKeeperSaslClient;
import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.apache.zookeeper.proto.CreateRequest;
import org.apache.zookeeper.proto.DeleteRequest;
@@ -949,8 +951,17 @@ public class ZKUtil {
conf.get("hbase.zookeeper.client.keytab.file") != null);
}
- private static List<ACL> createACL(ZooKeeperWatcher zkw, String node) {
+ private static ArrayList<ACL> createACL(ZooKeeperWatcher zkw, String node) {
+ if (!node.startsWith(zkw.baseZNode)) {
+ return Ids.OPEN_ACL_UNSAFE;
+ }
if (isSecureZooKeeper(zkw.getConfiguration())) {
+ String superUser = zkw.getConfiguration().get("hbase.superuser");
+ ArrayList<ACL> acls = new ArrayList<ACL>();
+ // add permission to hbase supper user
+ if (superUser != null) {
+ acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
+ }
// Certain znodes are accessed directly by the client,
// so they must be readable by non-authenticated clients
if ((node.equals(zkw.baseZNode) == true) ||
@@ -960,9 +971,12 @@ public class ZKUtil {
(node.equals(zkw.rsZNode) == true) ||
(node.equals(zkw.backupMasterAddressesZNode) == true) ||
(node.startsWith(zkw.tableZNode) == true)) {
- return ZooKeeperWatcher.CREATOR_ALL_AND_WORLD_READABLE;
+ acls.addAll(Ids.CREATOR_ALL_ACL);
+ acls.addAll(Ids.READ_ACL_UNSAFE);
+ } else {
+ acls.addAll(Ids.CREATOR_ALL_ACL);
}
- return Ids.CREATOR_ALL_ACL;
+ return acls;
} else {
return Ids.OPEN_ACL_UNSAFE;
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/a8766fd6/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
index 84bd9f8..f287a0e 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
@@ -111,11 +111,6 @@ public class ZooKeeperWatcher implements Watcher, Abortable, Closeable {
public static String namespaceZNode = "namespace";
- // Certain ZooKeeper nodes need to be world-readable
- public static final List<ACL> CREATOR_ALL_AND_WORLD_READABLE =
- Arrays.asList(new ACL(ZooDefs.Perms.READ,ZooDefs.Ids.ANYONE_ID_UNSAFE),
- new ACL(ZooDefs.Perms.ALL,ZooDefs.Ids.AUTH_IDS));
-
private final Configuration conf;
private final Exception constructorCaller;