You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by st...@apache.org on 2014/12/28 06:12:07 UTC

hbase git commit: HBASE-12641 Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster (Liu Shaohui)

Repository: hbase
Updated Branches:
  refs/heads/master 9abab54d8 -> a8766fd62


HBASE-12641 Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster (Liu Shaohui)


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/a8766fd6
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/a8766fd6
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/a8766fd6

Branch: refs/heads/master
Commit: a8766fd623e5679b13600646ac2808e733f98d07
Parents: 9abab54
Author: stack <st...@apache.org>
Authored: Sat Dec 27 21:11:57 2014 -0800
Committer: stack <st...@apache.org>
Committed: Sat Dec 27 21:11:57 2014 -0800

----------------------------------------------------------------------
 .../apache/hadoop/hbase/zookeeper/ZKUtil.java   | 20 +++++++++++++++++---
 .../hbase/zookeeper/ZooKeeperWatcher.java       |  5 -----
 2 files changed, 17 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/a8766fd6/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index da0d8b2..64f75c4 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -61,9 +61,11 @@ import org.apache.zookeeper.KeeperException.NoNodeException;
 import org.apache.zookeeper.Op;
 import org.apache.zookeeper.Watcher;
 import org.apache.zookeeper.ZooDefs.Ids;
+import org.apache.zookeeper.ZooDefs.Perms;
 import org.apache.zookeeper.ZooKeeper;
 import org.apache.zookeeper.client.ZooKeeperSaslClient;
 import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.data.Stat;
 import org.apache.zookeeper.proto.CreateRequest;
 import org.apache.zookeeper.proto.DeleteRequest;
@@ -949,8 +951,17 @@ public class ZKUtil {
          conf.get("hbase.zookeeper.client.keytab.file") != null);
   }
 
-  private static List<ACL> createACL(ZooKeeperWatcher zkw, String node) {
+  private static ArrayList<ACL> createACL(ZooKeeperWatcher zkw, String node) {
+    if (!node.startsWith(zkw.baseZNode)) {
+      return Ids.OPEN_ACL_UNSAFE;
+    }
     if (isSecureZooKeeper(zkw.getConfiguration())) {
+      String superUser = zkw.getConfiguration().get("hbase.superuser");
+      ArrayList<ACL> acls = new ArrayList<ACL>();
+      // add permission to hbase supper user
+      if (superUser != null) {
+        acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
+      }
       // Certain znodes are accessed directly by the client,
       // so they must be readable by non-authenticated clients
       if ((node.equals(zkw.baseZNode) == true) ||
@@ -960,9 +971,12 @@ public class ZKUtil {
           (node.equals(zkw.rsZNode) == true) ||
           (node.equals(zkw.backupMasterAddressesZNode) == true) ||
           (node.startsWith(zkw.tableZNode) == true)) {
-        return ZooKeeperWatcher.CREATOR_ALL_AND_WORLD_READABLE;
+        acls.addAll(Ids.CREATOR_ALL_ACL);
+        acls.addAll(Ids.READ_ACL_UNSAFE);
+      } else {
+        acls.addAll(Ids.CREATOR_ALL_ACL);
       }
-      return Ids.CREATOR_ALL_ACL;
+      return acls;
     } else {
       return Ids.OPEN_ACL_UNSAFE;
     }

http://git-wip-us.apache.org/repos/asf/hbase/blob/a8766fd6/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
index 84bd9f8..f287a0e 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
@@ -111,11 +111,6 @@ public class ZooKeeperWatcher implements Watcher, Abortable, Closeable {
   public static String namespaceZNode = "namespace";
 
 
-  // Certain ZooKeeper nodes need to be world-readable
-  public static final List<ACL> CREATOR_ALL_AND_WORLD_READABLE =
-    Arrays.asList(new ACL(ZooDefs.Perms.READ,ZooDefs.Ids.ANYONE_ID_UNSAFE),
-      new ACL(ZooDefs.Perms.ALL,ZooDefs.Ids.AUTH_IDS));
-
   private final Configuration conf;
 
   private final Exception constructorCaller;