You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by el...@apache.org on 2015/07/08 17:31:38 UTC
[2/3] accumulo git commit: ACCUMULO-3831 Eat user exists exception on
automatic user-creation
ACCUMULO-3831 Eat user exists exception on automatic user-creation
Kerberos authentication will automatically make sure an Accumulo user
exists (in ZK) to ensure that the Authorizor and PermissionHandler will
all work normally. Concurrent requests from the same user may fail if
one creates the user before the other.
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/38baaa8a
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/38baaa8a
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/38baaa8a
Branch: refs/heads/master
Commit: 38baaa8a653b7a1aa792e74182829ed7adbde74f
Parents: b9a190a
Author: Josh Elser <el...@apache.org>
Authored: Thu Jul 2 18:20:26 2015 -0400
Committer: Josh Elser <el...@apache.org>
Committed: Wed Jul 8 11:30:46 2015 -0400
----------------------------------------------------------------------
.../accumulo/server/security/SecurityOperation.java | 12 +++++++++++-
.../server/security/handler/KerberosAuthenticator.java | 1 -
2 files changed, 11 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/accumulo/blob/38baaa8a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
index 3bb8a6c..7ad0b48 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
@@ -183,7 +183,17 @@ public class SecurityOperation {
if (!authenticator.userExists(creds.getPrincipal())) {
// If we call the normal createUser method, it will loop back into this method
// when it tries to check if the user has permission to create users
- _createUser(credentials, creds, Authorizations.EMPTY);
+ try {
+ _createUser(credentials, creds, Authorizations.EMPTY);
+ } catch (ThriftSecurityException e) {
+ if (SecurityErrorCode.USER_EXISTS != e.getCode()) {
+ // For Kerberos, a user acct is automatically created because there is no notion of a password
+ // in the traditional sense of Accumulo users. As such, if a user acct already exists when we
+ // try to automatically create a user account, we should avoid returning this exception back to the user.
+ // We want to let USER_EXISTS code pass through and continue
+ throw e;
+ }
+ }
}
} catch (AccumuloSecurityException e) {
log.debug("Failed to determine if user exists", e);
http://git-wip-us.apache.org/repos/asf/accumulo/blob/38baaa8a/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java b/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
index 3ead57f..0aecfbf 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
@@ -158,7 +158,6 @@ public class KerberosAuthenticator implements Authenticator {
createUserNodeInZk(Base64.encodeBase64String(principal.getBytes(UTF_8)));
} catch (KeeperException e) {
if (e.code().equals(KeeperException.Code.NODEEXISTS)) {
- log.error("User already exists in ZooKeeper", e);
throw new AccumuloSecurityException(principal, SecurityErrorCode.USER_EXISTS, e);
}
log.error("Failed to create user in ZooKeeper", e);