You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by zh...@apache.org on 2018/01/04 08:20:12 UTC
[38/38] hbase git commit: HBASE-19634 Add permission check for
executeProcedures in AccessController
HBASE-19634 Add permission check for executeProcedures in AccessController
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/f27b9d4d
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/f27b9d4d
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/f27b9d4d
Branch: refs/heads/HBASE-19397
Commit: f27b9d4d7a9d9271d454f20c16ba7a8589f3b8a5
Parents: 8f1656d
Author: zhangduo <zh...@apache.org>
Authored: Thu Jan 4 16:18:21 2018 +0800
Committer: zhangduo <zh...@apache.org>
Committed: Thu Jan 4 16:18:21 2018 +0800
----------------------------------------------------------------------
.../hbase/coprocessor/RegionServerObserver.java | 14 +++++
.../hbase/regionserver/RSRpcServices.java | 54 +++++++++++---------
.../RegionServerCoprocessorHost.java | 18 +++++++
.../hbase/security/access/AccessController.java | 24 +++++----
.../hadoop/hbase/TestJMXConnectorServer.java | 7 +++
.../security/access/TestAccessController.java | 18 +++++--
6 files changed, 98 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/f27b9d4d/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java
index c1af3fb..5b751df 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java
@@ -126,4 +126,18 @@ public interface RegionServerObserver {
default void postClearCompactionQueues(
final ObserverContext<RegionServerCoprocessorEnvironment> ctx)
throws IOException {}
+
+ /**
+ * This will be called before executing procedures
+ * @param ctx the environment to interact with the framework and region server.
+ */
+ default void preExecuteProcedures(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+ throws IOException {}
+
+ /**
+ * This will be called after executing procedures
+ * @param ctx the environment to interact with the framework and region server.
+ */
+ default void postExecuteProcedures(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+ throws IOException {}
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/f27b9d4d/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java
index e88f70e..695b859 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java
@@ -41,7 +41,6 @@ import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.LongAdder;
-
import org.apache.commons.lang3.mutable.MutableObject;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
@@ -142,6 +141,7 @@ import org.apache.hbase.thirdparty.com.google.protobuf.RpcController;
import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
import org.apache.hbase.thirdparty.com.google.protobuf.TextFormat;
import org.apache.hbase.thirdparty.com.google.protobuf.UnsafeByteOperations;
+
import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.shaded.protobuf.RequestConverter;
import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter;
@@ -3454,36 +3454,40 @@ public class RSRpcServices implements HBaseRPCErrorHandler,
}
@Override
+ @QosPriority(priority = HConstants.ADMIN_QOS)
public ExecuteProceduresResponse executeProcedures(RpcController controller,
ExecuteProceduresRequest request) throws ServiceException {
- if (request.getOpenRegionCount() > 0) {
- for (OpenRegionRequest req : request.getOpenRegionList()) {
- openRegion(controller, req);
+ try {
+ checkOpen();
+ regionServer.getRegionServerCoprocessorHost().preExecuteProcedures();
+ if (request.getOpenRegionCount() > 0) {
+ for (OpenRegionRequest req : request.getOpenRegionList()) {
+ openRegion(controller, req);
+ }
}
- }
- if (request.getCloseRegionCount() > 0) {
- for (CloseRegionRequest req : request.getCloseRegionList()) {
- closeRegion(controller, req);
+ if (request.getCloseRegionCount() > 0) {
+ for (CloseRegionRequest req : request.getCloseRegionList()) {
+ closeRegion(controller, req);
+ }
}
- }
- if (request.getProcCount() > 0) {
- for (RemoteProcedureRequest req : request.getProcList()) {
- RSProcedureCallable callable;
- try {
- callable =
- Class.forName(req.getProcClass()).asSubclass(RSProcedureCallable.class).newInstance();
- } catch (Exception e) {
- // here we just ignore the error as this should not happen and we do not provide a general
- // way to report errors for all types of remote procedure. The procedure will hang at
- // master side but after you solve the problem and restart master it will be executed
- // again and pass.
- LOG.warn("create procedure of type " + req.getProcClass() + " failed, give up", e);
- continue;
+ if (request.getProcCount() > 0) {
+ for (RemoteProcedureRequest req : request.getProcList()) {
+ RSProcedureCallable callable;
+ try {
+ callable =
+ Class.forName(req.getProcClass()).asSubclass(RSProcedureCallable.class).newInstance();
+ } catch (Exception e) {
+ regionServer.remoteProcedureComplete(req.getProcId(), e);
+ continue;
+ }
+ callable.init(req.getProcData().toByteArray(), regionServer);
+ regionServer.executeProcedure(req.getProcId(), callable);
}
- callable.init(req.getProcData().toByteArray(), regionServer);
- regionServer.executeProcedure(req.getProcId(), callable);
}
+ regionServer.getRegionServerCoprocessorHost().postExecuteProcedures();
+ return ExecuteProceduresResponse.getDefaultInstance();
+ } catch (IOException e) {
+ throw new ServiceException(e);
}
- return ExecuteProceduresResponse.getDefaultInstance();
}
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/f27b9d4d/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
index dc1708c..09617c4 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
@@ -205,6 +205,24 @@ public class RegionServerCoprocessorHost extends
});
}
+ public void preExecuteProcedures() throws IOException {
+ execOperation(coprocEnvironments.isEmpty() ? null : new RegionServerObserverOperation() {
+ @Override
+ public void call(RegionServerObserver observer) throws IOException {
+ observer.preExecuteProcedures(this);
+ }
+ });
+ }
+
+ public void postExecuteProcedures() throws IOException {
+ execOperation(coprocEnvironments.isEmpty() ? null : new RegionServerObserverOperation() {
+ @Override
+ public void call(RegionServerObserver observer) throws IOException {
+ observer.postExecuteProcedures(this);
+ }
+ });
+ }
+
/**
* Coprocessor environment extension providing access to region server
* related services.
http://git-wip-us.apache.org/repos/asf/hbase/blob/f27b9d4d/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 602af91..e3a1bb2 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -119,13 +119,6 @@ import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.Permission.Action;
-import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
-import org.apache.hbase.thirdparty.com.google.common.collect.ImmutableSet;
-import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
-import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
-import org.apache.hbase.thirdparty.com.google.common.collect.MapMaker;
-import org.apache.hbase.thirdparty.com.google.common.collect.Maps;
-import org.apache.hbase.thirdparty.com.google.common.collect.Sets;
import org.apache.hadoop.hbase.snapshot.SnapshotDescriptionUtils;
import org.apache.hadoop.hbase.util.ByteRange;
import org.apache.hadoop.hbase.util.Bytes;
@@ -138,6 +131,14 @@ import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
+import org.apache.hbase.thirdparty.com.google.common.collect.ImmutableSet;
+import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
+import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
+import org.apache.hbase.thirdparty.com.google.common.collect.MapMaker;
+import org.apache.hbase.thirdparty.com.google.common.collect.Maps;
+import org.apache.hbase.thirdparty.com.google.common.collect.Sets;
+
/**
* Provides basic authorization checks for data access and administrative
* operations.
@@ -428,7 +429,6 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
private User getActiveUser(ObserverContext<?> ctx) throws IOException {
// for non-rpc handling, fallback to system user
Optional<User> optionalUser = ctx.getCaller();
- User user;
if (optionalUser.isPresent()) {
return optionalUser.get();
}
@@ -2649,6 +2649,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
}
@Override
+ public void preExecuteProcedures(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+ throws IOException {
+ checkSystemOrSuperUser(getActiveUser(ctx));
+ }
+
+ @Override
public void preMoveServersAndTables(ObserverContext<MasterCoprocessorEnvironment> ctx,
Set<Address> servers, Set<TableName> tables, String targetGroup) throws IOException {
requirePermission(getActiveUser(ctx), "moveServersAndTables", Action.ADMIN);
http://git-wip-us.apache.org/repos/asf/hbase/blob/f27b9d4d/hbase-server/src/test/java/org/apache/hadoop/hbase/TestJMXConnectorServer.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/TestJMXConnectorServer.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/TestJMXConnectorServer.java
index 444db64..9f68252 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/TestJMXConnectorServer.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/TestJMXConnectorServer.java
@@ -202,5 +202,12 @@ public class TestJMXConnectorServer {
throw new AccessDeniedException("Insufficient permissions to shut down cluster.");
}
}
+
+ @Override
+ public void preExecuteProcedures(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+ throws IOException {
+ // FIXME: ignore the procedure permission check since in our UT framework master is neither
+ // the systemuser nor the superuser so we can not call executeProcedures...
+ }
}
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/f27b9d4d/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 9498747..83886b0 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -1,4 +1,4 @@
-/*
+/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -30,7 +30,6 @@ import com.google.protobuf.RpcCallback;
import com.google.protobuf.RpcController;
import com.google.protobuf.Service;
import com.google.protobuf.ServiceException;
-
import java.io.IOException;
import java.security.PrivilegedAction;
import java.util.ArrayList;
@@ -38,7 +37,6 @@ import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
-
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.FileSystem;
@@ -3139,4 +3137,18 @@ public class TestAccessController extends SecureTestUtil {
verifyAllowed(
action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
}
+
+ @Test
+ public void testExecuteProcedures() throws Exception {
+ AccessTestAction action = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ ACCESS_CONTROLLER.preExecuteProcedures(ObserverContextImpl.createAndPrepare(RSCP_ENV));
+ return null;
+ }
+ };
+
+ verifyAllowed(action, SUPERUSER);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_ADMIN);
+ }
}