You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by vi...@apache.org on 2012/01/19 18:16:01 UTC
svn commit: r1233477 - in /incubator/accumulo/trunk: ./ src/server/
src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java
Author: vines
Date: Thu Jan 19 17:16:01 2012
New Revision: 1233477
URL: http://svn.apache.org/viewvc?rev=1233477&view=rev
Log:
Merging ACCUMULO-328
Modified:
incubator/accumulo/trunk/ (props changed)
incubator/accumulo/trunk/src/server/ (props changed)
incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java
Propchange: incubator/accumulo/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Jan 19 17:16:01 2012
@@ -1,3 +1,3 @@
/incubator/accumulo/branches/1.3:1190280,1190413,1190420,1190427,1190500,1195622,1195625,1195629,1195635,1196044,1196054,1196057,1196071-1196072,1196106,1197066,1198935,1199383,1203683,1204625,1205547,1205880,1206169,1208031,1209124,1209526,1209532,1209539,1209541,1209587,1209657,1210518,1210571,1210596,1210598,1213424,1214320,1225006,1227215,1227231,1227611,1228195,1230180,1230736,1231043
/incubator/accumulo/branches/1.3.5rc:1209938
-/incubator/accumulo/branches/1.4:1201902-1233090
+/incubator/accumulo/branches/1.4:1201902-1233475
Propchange: incubator/accumulo/trunk/src/server/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Jan 19 17:16:01 2012
@@ -1,3 +1,3 @@
-/incubator/accumulo/branches/1.3.5rc/src/server:1209938
/incubator/accumulo/branches/1.3/src/server:1190280,1190413,1190420,1190427,1190500,1195622,1195625,1195629,1195635,1196044,1196054,1196057,1196071-1196072,1196106,1197066,1198935,1199383,1203683,1204625,1205547,1205880,1206169,1208031,1209124,1209526,1209532,1209539,1209541,1209587,1209657,1210518,1210571,1210596,1210598,1213424,1214320,1225006,1227215,1227231,1227611
-/incubator/accumulo/branches/1.4/src/server:1201902-1233090
+/incubator/accumulo/branches/1.3.5rc/src/server:1209938
+/incubator/accumulo/branches/1.4/src/server:1201902-1233475
Modified: incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java
URL: http://svn.apache.org/viewvc/incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java?rev=1233477&r1=1233476&r2=1233477&view=diff
==============================================================================
--- incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java (original)
+++ incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java Thu Jan 19 17:16:01 2012
@@ -338,7 +338,11 @@ public final class ZKAuthenticator imple
return Constants.NO_AUTHS;
if (userExists(user))
- return Tool.convertAuthorizations(zooCache.get(ZKUserPath + "/" + user + ZKUserAuths));
+ try {
+ return Tool.convertAuthorizations(zooCache.get(ZKUserPath + "/" + user + ZKUserAuths));
+ } catch (IllegalArgumentException iae) {
+ // User was deleted between checking existance and grabbing auths.
+ }
throw new AccumuloSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST); // user doesn't exist
}
@@ -400,14 +404,18 @@ public final class ZKAuthenticator imple
// Don't let nonexistant users scan
if (!userExists(user))
throw new AccumuloSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST); // user doesn't exist
-
+
// allow anybody to read the METADATA table
if (table.equals(Constants.METADATA_TABLE_ID) && permission.equals(TablePermission.READ))
return true;
byte[] serializedPerms = zooCache.get(ZKUserPath + "/" + user + ZKUserTablePerms + "/" + table);
if (serializedPerms != null) {
- return Tool.convertTablePermissions(serializedPerms).contains(permission);
+ try {
+ return Tool.convertTablePermissions(serializedPerms).contains(permission);
+ } catch (IllegalArgumentException iae) {
+ throw new AccumuloSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST); // user doesn't exist
+ }
}
return false;
}
@@ -425,8 +433,8 @@ public final class ZKAuthenticator imple
throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.GRANT_INVALID);
if (userExists(user)) {
- Set<SystemPermission> perms = Tool.convertSystemPermissions(zooCache.get(ZKUserPath + "/" + user + ZKUserSysPerms));
try {
+ Set<SystemPermission> perms = Tool.convertSystemPermissions(zooCache.get(ZKUserPath + "/" + user + ZKUserSysPerms));
if (perms.add(permission)) {
synchronized (zooCache) {
zooCache.clear();
@@ -435,6 +443,10 @@ public final class ZKAuthenticator imple
}
}
log.info("Granted system permission " + permission + " for user " + user + " at the request of user " + credentials.user);
+ return;
+ } catch (IllegalArgumentException iae) {
+ // User was deleted between checking existance and grabbing auths.
+ // Exception at end handles this
} catch (KeeperException e) {
log.error(e, e);
throw new AccumuloSecurityException(user, SecurityErrorCode.CONNECTION_ERROR, e);
@@ -442,10 +454,10 @@ public final class ZKAuthenticator imple
log.error(e, e);
throw new RuntimeException(e);
}
- } else
- throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.USER_DOESNT_EXIST); // user doesn't exist
+ }
+ throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.USER_DOESNT_EXIST); // user doesn't exist
}
-
+
@Override
public void grantTablePermission(AuthInfo credentials, String user, String table, TablePermission permission) throws AccumuloSecurityException {
if (!hasSystemPermission(credentials, credentials.user, SystemPermission.ALTER_USER)
@@ -483,7 +495,7 @@ public final class ZKAuthenticator imple
} else
throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.USER_DOESNT_EXIST); // user doesn't exist
}
-
+
@Override
public void revokeSystemPermission(AuthInfo credentials, String user, SystemPermission permission) throws AccumuloSecurityException {
if (!hasSystemPermission(credentials, credentials.user, SystemPermission.GRANT))
@@ -495,10 +507,10 @@ public final class ZKAuthenticator imple
if (permission.equals(SystemPermission.GRANT))
throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.GRANT_INVALID);
-
+
if (userExists(user)) {
- Set<SystemPermission> sysPerms = Tool.convertSystemPermissions(zooCache.get(ZKUserPath + "/" + user + ZKUserSysPerms));
try {
+ Set<SystemPermission> sysPerms = Tool.convertSystemPermissions(zooCache.get(ZKUserPath + "/" + user + ZKUserSysPerms));
if (sysPerms.remove(permission)) {
synchronized (zooCache) {
zooCache.clear();
@@ -507,6 +519,10 @@ public final class ZKAuthenticator imple
}
}
log.info("Revoked system permission " + permission + " for user " + user + " at the request of user " + credentials.user);
+ } catch (IllegalArgumentException iae) {
+ // User was deleted between checking and pulling from the zooCache
+ throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.USER_DOESNT_EXIST);
+
} catch (KeeperException e) {
log.error(e, e);
throw new AccumuloSecurityException(user, SecurityErrorCode.CONNECTION_ERROR, e);
@@ -517,7 +533,7 @@ public final class ZKAuthenticator imple
} else
throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.USER_DOESNT_EXIST);
}
-
+
@Override
public void revokeTablePermission(AuthInfo credentials, String user, String table, TablePermission permission) throws AccumuloSecurityException {
if (!hasSystemPermission(credentials, credentials.user, SystemPermission.ALTER_USER)
@@ -555,7 +571,7 @@ public final class ZKAuthenticator imple
} else
throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.USER_DOESNT_EXIST);
}
-
+
@Override
public void deleteTable(AuthInfo credentials, String table) throws AccumuloSecurityException {
if (!hasSystemPermission(credentials, credentials.user, SystemPermission.DROP_TABLE)
@@ -577,7 +593,7 @@ public final class ZKAuthenticator imple
throw new RuntimeException(e);
}
}
-
+
/**
* All the static too methods used for this class, so that we can separate out stuff that isn't using ZooKeeper. That way, we can check the synchronization
* model more easily, as we only need to check to make sure zooCache is cleared when things are written to ZooKeeper in methods that might use it. These
@@ -644,7 +660,7 @@ public final class ZKAuthenticator imple
public static byte[] convertAuthorizations(Authorizations authorizations) {
return authorizations.getAuthorizationsArray();
}
-
+
public static byte[] convertSystemPermissions(Set<SystemPermission> systempermissions) {
ByteArrayOutputStream bytes = new ByteArrayOutputStream(systempermissions.size());
DataOutputStream out = new DataOutputStream(bytes);
@@ -692,12 +708,12 @@ public final class ZKAuthenticator imple
return toReturn;
}
}
-
+
@Override
public void clearCache(String user) {
zooCache.clear(ZKUserPath + "/" + user);
}
-
+
@Override
public void clearCache(String user, String tableId) {
zooCache.clear(ZKUserPath + "/" + user + ZKUserTablePerms + "/" + tableId);