You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by el...@apache.org on 2017/07/25 22:26:40 UTC
[1/3] hbase git commit: HBASE-18323 Remove multiple ACLs for the same
user in kerberos
Repository: hbase
Updated Branches:
refs/heads/branch-1 26247996d -> 8ea7a364b
refs/heads/branch-2 4e3a750b0 -> 8ad76bbc8
refs/heads/master c891642a5 -> d7febd54d
HBASE-18323 Remove multiple ACLs for the same user in kerberos
Signed-off-by: Josh Elser <el...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/d7febd54
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/d7febd54
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/d7febd54
Branch: refs/heads/master
Commit: d7febd54da6f8a01df1c880f8fb9af3b8d82d9c3
Parents: c891642
Author: 张世彬10204932 <zh...@zte.com.cn>
Authored: Sat Jul 22 12:28:43 2017 +0800
Committer: Josh Elser <el...@apache.org>
Committed: Tue Jul 25 18:10:50 2017 -0400
----------------------------------------------------------------------
.../org/apache/hadoop/hbase/zookeeper/ZKUtil.java | 11 ++++++++++-
.../apache/hadoop/hbase/zookeeper/TestZKUtil.java | 16 ++++++++++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/d7febd54/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index 08b059e..a31cab9 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -58,6 +58,7 @@ import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.CreateAndFailSilent;
import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.DeleteNodeFailSilent;
import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.SetData;
import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.zookeeper.AsyncCallback;
import org.apache.zookeeper.CreateMode;
@@ -907,6 +908,12 @@ public class ZKUtil {
ArrayList<ACL> acls = new ArrayList<>();
// add permission to hbase supper user
String[] superUsers = zkw.getConfiguration().getStrings(Superusers.SUPERUSER_CONF_KEY);
+ String hbaseUser = null;
+ try {
+ hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName();
+ } catch (IOException e) {
+ LOG.debug("Could not acquire current User.", e);
+ }
if (superUsers != null) {
List<String> groups = new ArrayList<>();
for (String user : superUsers) {
@@ -914,7 +921,9 @@ public class ZKUtil {
// TODO: Set node ACL for groups when ZK supports this feature
groups.add(user);
} else {
- acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
+ if(!user.equals(hbaseUser)) {
+ acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
+ }
}
}
if (!groups.isEmpty()) {
http://git-wip-us.apache.org/repos/asf/hbase/blob/d7febd54/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
index 076569b..0e1ab92 100644
--- a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
+++ b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
@@ -26,6 +26,7 @@ import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.ZooKeeperConnectionException;
import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.testclassification.SmallTests;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.zookeeper.ZooDefs.Ids;
import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.data.ACL;
@@ -77,4 +78,19 @@ public class TestZKUtil {
Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user2"))));
Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user3"))));
}
+
+ @Test
+ public void testCreateACLWithSameUser() throws ZooKeeperConnectionException, IOException {
+ Configuration conf = HBaseConfiguration.create();
+ conf.set(Superusers.SUPERUSER_CONF_KEY, "user4,@group1,user5,user6");
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("user4"));
+ String node = "/hbase/testCreateACL";
+ ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
+ List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
+ Assert.assertEquals(aclList.size(), 3); // 3, since service user the same as one of superuser
+ Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1"))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", ""))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user5"))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user6"))));
+ }
}
[3/3] hbase git commit: HBASE-18323 Remove multiple ACLs for the same
user in kerberos
Posted by el...@apache.org.
HBASE-18323 Remove multiple ACLs for the same user in kerberos
Signed-off-by: Josh Elser <el...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/8ea7a364
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/8ea7a364
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/8ea7a364
Branch: refs/heads/branch-1
Commit: 8ea7a364bf093e8b569ab3fee002140e8280b9cf
Parents: 2624799
Author: 张世彬10204932 <zh...@zte.com.cn>
Authored: Sat Jul 22 12:28:43 2017 +0800
Committer: Josh Elser <el...@apache.org>
Committed: Tue Jul 25 18:22:45 2017 -0400
----------------------------------------------------------------------
.../org/apache/hadoop/hbase/zookeeper/ZKUtil.java | 11 ++++++++++-
.../apache/hadoop/hbase/zookeeper/TestZKUtil.java | 16 ++++++++++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/8ea7a364/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index 4f4b2eb..d874768 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -58,6 +58,7 @@ import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.CreateAndFailSilent;
import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.DeleteNodeFailSilent;
import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.SetData;
import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.zookeeper.AsyncCallback;
import org.apache.zookeeper.CreateMode;
@@ -913,6 +914,12 @@ public class ZKUtil {
ArrayList<ACL> acls = new ArrayList<ACL>();
// add permission to hbase supper user
String[] superUsers = zkw.getConfiguration().getStrings(Superusers.SUPERUSER_CONF_KEY);
+ String hbaseUser = null;
+ try {
+ hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName();
+ } catch (IOException e) {
+ LOG.debug("Could not acquire current User.", e);
+ }
if (superUsers != null) {
List<String> groups = new ArrayList<String>();
for (String user : superUsers) {
@@ -920,7 +927,9 @@ public class ZKUtil {
// TODO: Set node ACL for groups when ZK supports this feature
groups.add(user);
} else {
- acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
+ if(!user.equals(hbaseUser)) {
+ acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
+ }
}
}
if (!groups.isEmpty()) {
http://git-wip-us.apache.org/repos/asf/hbase/blob/8ea7a364/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
index 1099e5e..02d002a 100644
--- a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
+++ b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
@@ -27,6 +27,7 @@ import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.ZooKeeperConnectionException;
import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.testclassification.SmallTests;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.zookeeper.ZooDefs.Ids;
import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.data.ACL;
@@ -78,4 +79,19 @@ public class TestZKUtil {
Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user2"))));
Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user3"))));
}
+
+ @Test
+ public void testCreateACLWithSameUser() throws ZooKeeperConnectionException, IOException {
+ Configuration conf = HBaseConfiguration.create();
+ conf.set(Superusers.SUPERUSER_CONF_KEY, "user4,@group1,user5,user6");
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("user4"));
+ String node = "/hbase/testCreateACL";
+ ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
+ List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
+ Assert.assertEquals(aclList.size(), 3); // 3, since service user the same as one of superuser
+ Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1"))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", ""))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user5"))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user6"))));
+ }
}
[2/3] hbase git commit: HBASE-18323 Remove multiple ACLs for the same
user in kerberos
Posted by el...@apache.org.
HBASE-18323 Remove multiple ACLs for the same user in kerberos
Signed-off-by: Josh Elser <el...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/8ad76bbc
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/8ad76bbc
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/8ad76bbc
Branch: refs/heads/branch-2
Commit: 8ad76bbc881bb410355551dfcd3dc05ae794a51f
Parents: 4e3a750
Author: 张世彬10204932 <zh...@zte.com.cn>
Authored: Sat Jul 22 12:28:43 2017 +0800
Committer: Josh Elser <el...@apache.org>
Committed: Tue Jul 25 18:17:02 2017 -0400
----------------------------------------------------------------------
.../org/apache/hadoop/hbase/zookeeper/ZKUtil.java | 11 ++++++++++-
.../apache/hadoop/hbase/zookeeper/TestZKUtil.java | 16 ++++++++++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/8ad76bbc/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index 08b059e..a31cab9 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -58,6 +58,7 @@ import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.CreateAndFailSilent;
import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.DeleteNodeFailSilent;
import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.SetData;
import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.zookeeper.AsyncCallback;
import org.apache.zookeeper.CreateMode;
@@ -907,6 +908,12 @@ public class ZKUtil {
ArrayList<ACL> acls = new ArrayList<>();
// add permission to hbase supper user
String[] superUsers = zkw.getConfiguration().getStrings(Superusers.SUPERUSER_CONF_KEY);
+ String hbaseUser = null;
+ try {
+ hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName();
+ } catch (IOException e) {
+ LOG.debug("Could not acquire current User.", e);
+ }
if (superUsers != null) {
List<String> groups = new ArrayList<>();
for (String user : superUsers) {
@@ -914,7 +921,9 @@ public class ZKUtil {
// TODO: Set node ACL for groups when ZK supports this feature
groups.add(user);
} else {
- acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
+ if(!user.equals(hbaseUser)) {
+ acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
+ }
}
}
if (!groups.isEmpty()) {
http://git-wip-us.apache.org/repos/asf/hbase/blob/8ad76bbc/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
index 076569b..0e1ab92 100644
--- a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
+++ b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
@@ -26,6 +26,7 @@ import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.ZooKeeperConnectionException;
import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.testclassification.SmallTests;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.zookeeper.ZooDefs.Ids;
import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.data.ACL;
@@ -77,4 +78,19 @@ public class TestZKUtil {
Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user2"))));
Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user3"))));
}
+
+ @Test
+ public void testCreateACLWithSameUser() throws ZooKeeperConnectionException, IOException {
+ Configuration conf = HBaseConfiguration.create();
+ conf.set(Superusers.SUPERUSER_CONF_KEY, "user4,@group1,user5,user6");
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("user4"));
+ String node = "/hbase/testCreateACL";
+ ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
+ List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
+ Assert.assertEquals(aclList.size(), 3); // 3, since service user the same as one of superuser
+ Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1"))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", ""))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user5"))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user6"))));
+ }
}