From 4259da722e1982ecf91ec2cb9ded9671349cd56a Mon Sep 17 00:00:00 2001 From: Wei-Chiu Chuang Date: Thu, 19 Jul 2018 20:17:06 +0800 Subject: [PATCH] HBASE-20869 Endpoint-based Export use incorrect user to write to destination Signed-off-by: Chia-Ping Tsai Signed-off-by: tedyu --- .../apache/hadoop/hbase/coprocessor/Export.java | 13 ++++++++++--- .../hbase/coprocessor/TestSecureExport.java | 16 ++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/hbase-endpoint/src/main/java/org/apache/hadoop/hbase/coprocessor/Export.java b/hbase-endpoint/src/main/java/org/apache/hadoop/hbase/coprocessor/Export.java index 6d6c1a66671..b21d5c3f29a 100644 --- a/hbase-endpoint/src/main/java/org/apache/hadoop/hbase/coprocessor/Export.java +++ b/hbase-endpoint/src/main/java/org/apache/hadoop/hbase/coprocessor/Export.java @@ -451,9 +451,16 @@ public class Export extends ExportProtos.ExportService implements RegionCoproces SecureWriter(final Configuration conf, final UserProvider userProvider, final Token userToken, final List opts) throws IOException { - privilegedWriter = new PrivilegedWriter(getActiveUser(userProvider, userToken), - SequenceFile.createWriter(conf, - opts.toArray(new SequenceFile.Writer.Option[opts.size()]))); + User user = getActiveUser(userProvider, userToken); + try { + SequenceFile.Writer sequenceFileWriter = + user.runAs((PrivilegedExceptionAction) () -> + SequenceFile.createWriter(conf, + opts.toArray(new SequenceFile.Writer.Option[opts.size()]))); + privilegedWriter = new PrivilegedWriter(user, sequenceFileWriter); + } catch (InterruptedException e) { + throw new IOException(e); + } } void append(final Object key, final Object value) throws IOException { diff --git a/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java b/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java index 21f17f76a8a..b2ca1d418b3 100644 --- a/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java +++ b/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java @@ -29,6 +29,7 @@ import java.util.List; import java.util.Map; import java.util.Properties; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileStatus; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.permission.FsAction; @@ -336,6 +337,21 @@ public class TestSecureExport { LOG.error(ex.toString(), ex); throw new Exception(ex); } finally { + if (fs.exists(new Path(openDir, "output"))) { + // if export completes successfully, every file under the output directory should be + // owned by the current user, not the hbase service user. + FileStatus outputDirFileStatus = fs.getFileStatus(new Path(openDir, "output")); + String currentUserName = User.getCurrent().getShortName(); + assertEquals("Unexpected file owner", currentUserName, outputDirFileStatus.getOwner()); + + FileStatus[] outputFileStatus = fs.listStatus(new Path(openDir, "output")); + for (FileStatus fileStatus: outputFileStatus) { + assertEquals("Unexpected file owner", currentUserName, fileStatus.getOwner()); + } + } else { + LOG.info("output directory doesn't exist. Skip check"); + } + clearOutput(output); } };