You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ap...@apache.org on 2014/09/15 05:29:32 UTC

[2/3] git commit: HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das)

HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das)


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/435530b4
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/435530b4
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/435530b4

Branch: refs/heads/branch-1
Commit: 435530b4d60751655ba459693da75c73f872d15f
Parents: 49e2741
Author: Andrew Purtell <ap...@apache.org>
Authored: Sun Sep 14 20:29:22 2014 -0700
Committer: Andrew Purtell <ap...@apache.org>
Committed: Sun Sep 14 20:29:22 2014 -0700

----------------------------------------------------------------------
 .../org/apache/hadoop/hbase/security/User.java   | 19 +++++++++++++++++++
 .../hbase/security/access/AccessController.java  | 17 +++++++++++++----
 2 files changed, 32 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/435530b4/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
----------------------------------------------------------------------
diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
index 5abff9d..fd12e47 100644
--- a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
+++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
@@ -165,6 +165,25 @@ public abstract class User {
   }
 
   /**
+   * Executes the given action as the login user
+   * @param action
+   * @return
+   * @throws IOException
+   * @throws InterruptedException
+   */
+  @SuppressWarnings({ "rawtypes", "unchecked" })
+  public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException {
+    try {
+      Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");
+      Class [] types = new Class[]{PrivilegedExceptionAction.class};
+      Object[] args = new Object[]{action};
+      return (T) Methods.call(c, null, "doAsLoginUser", types, args);
+    } catch (Throwable e) {
+      throw new IOException(e);
+    }
+  }
+
+  /**
    * Wraps an underlying {@code UserGroupInformation} instance.
    * @param ugi The base Hadoop user
    * @return User

http://git-wip-us.apache.org/repos/asf/hbase/blob/435530b4/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index d0fe19d..2e23860 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -16,6 +16,7 @@ package org.apache.hadoop.hbase.security.access;
 
 import java.io.IOException;
 import java.net.InetAddress;
+import java.security.PrivilegedExceptionAction;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@@ -880,7 +881,7 @@ public class AccessController extends BaseMasterAndRegionObserver
   }
 
   @Override
-  public void postCreateTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
+  public void postCreateTableHandler(final ObserverContext<MasterCoprocessorEnvironment> c,
       HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
     // When AC is used, it should be configured as the 1st CP.
     // In Master, the table operations like create, are handled by a Thread pool but the max size
@@ -909,9 +910,17 @@ public class AccessController extends BaseMasterAndRegionObserver
         // default the table owner to current user, if not specified.
         if (owner == null)
           owner = getActiveUser().getShortName();
-        UserPermission userperm = new UserPermission(Bytes.toBytes(owner), desc.getTableName(),
-            null, Action.values());
-        AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), userperm);
+        final UserPermission userperm = new UserPermission(Bytes.toBytes(owner),
+            desc.getTableName(), null, Action.values());
+        // switch to the real hbase master user for doing the RPC on the ACL table
+        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
+          @Override
+          public Void run() throws Exception {
+            AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(),
+                userperm);
+            return null;
+          }
+        });
       }
     }
   }