You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by bu...@apache.org on 2019/02/08 18:40:55 UTC
[accumulo] branch 1.9 updated: Upgrade process should not assume
the administrative user is named 'root'. (#944)
This is an automated email from the ASF dual-hosted git repository.
busbey pushed a commit to branch 1.9
in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/1.9 by this push:
new cee8fa1 Upgrade process should not assume the administrative user is named 'root'. (#944)
cee8fa1 is described below
commit cee8fa1c4c71672f2712a6f8d0b284112bf06186
Author: Sean Busbey <se...@gmail.com>
AuthorDate: Fri Feb 8 12:40:50 2019 -0600
Upgrade process should not assume the administrative user is named 'root'. (#944)
When Accumulo is configured to use Kerberos for client authentication the
administrative user is configured at security initialization. Before this
change the upgrade process would attempt to grant access to the system
namespace to the 'root' user rather than to the configured administrative
user.
Co-Authored-By: Christopher Tubbs <ct...@apache.org>
---
.../src/main/java/org/apache/accumulo/master/Master.java | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/server/master/src/main/java/org/apache/accumulo/master/Master.java b/server/master/src/main/java/org/apache/accumulo/master/Master.java
index 7255410..8e2881a 100644
--- a/server/master/src/main/java/org/apache/accumulo/master/Master.java
+++ b/server/master/src/main/java/org/apache/accumulo/master/Master.java
@@ -450,6 +450,12 @@ public class Master extends AccumuloServerContext
moveRootTabletToRootTable(zoo);
// add system namespace permissions to existing users
+ // N.B. this section is ignoring the configured PermissionHandler
+ // under the assumption that these details are in zk and we can
+ // modify the structure so long as we pass back in whatever we read.
+ // This is true for any permission handler, including KerberosPermissionHandler,
+ // that uses the ZKPermHandler for permissions storage so long
+ // as the PermHandler only overrides the user name, and we don't care what the user name is.
ZKPermHandler perm = new ZKPermHandler();
perm.initialize(getInstance().getInstanceID(), true);
String users = ZooUtil.getRoot(getInstance()) + "/users";
@@ -459,8 +465,14 @@ public class Master extends AccumuloServerContext
perm.grantNamespacePermission(user, Namespaces.ACCUMULO_NAMESPACE_ID,
NamespacePermission.READ);
}
- perm.grantNamespacePermission("root", Namespaces.ACCUMULO_NAMESPACE_ID,
- NamespacePermission.ALTER_TABLE);
+ // because we need to refer to the root username, we can't use the
+ // ZKPermHandler directly since that violates our earlier assumption that we don't
+ // care about contents of the username. When using a PermissionHandler that needs to
+ // encode the username in some way, i.e. the KerberosPermissionHandler, things would
+ // fail. Instead we should be able to use the security object since
+ // the loop above should have made the needed structure in ZK.
+ security.grantNamespacePermission(rpcCreds(), security.getRootUsername(),
+ Namespaces.ACCUMULO_NAMESPACE_ID, NamespacePermission.ALTER_TABLE);
// add the currlog location for root tablet current logs
zoo.putPersistentData(ZooUtil.getRoot(getInstance()) + RootTable.ZROOT_TABLET_CURRENT_LOGS,