From 57477fe18cb36f62b8c7267ab6c5230c3a0e7e0b Mon Sep 17 00:00:00 2001
From: Ted Yu <tedyu@apache.org>
Date: Mon, 15 Sep 2014 16:24:57 +0000
Subject: [PATCH] HBASE-11136 Add permission check to roll WAL writer (Jerry
 He)

---
 .../coprocessor/BaseRegionServerObserver.java |  8 ++++++++
 .../coprocessor/RegionServerObserver.java     | 16 +++++++++++++++
 .../hbase/regionserver/RSRpcServices.java     |  1 +
 .../RegionServerCoprocessorHost.java          | 20 +++++++++++++++++++
 .../security/access/AccessController.java     | 10 ++++++++++
 .../security/access/TestAccessController.java | 14 +++++++++++++
 6 files changed, 69 insertions(+)

diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionServerObserver.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionServerObserver.java
index 4f51d5bb4b3..afcd457ea46 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionServerObserver.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionServerObserver.java
@@ -68,4 +68,12 @@ public class BaseRegionServerObserver implements RegionServerObserver {
   public void postRollBackMerge(ObserverContext<RegionServerCoprocessorEnvironment> ctx,
       HRegion regionA, HRegion regionB) throws IOException { }
 
+  @Override
+  public void preRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException { }
+
+  @Override
+  public void postRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException { }
+
 }
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java
index df1018e9123..8a76d46d04f 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java
@@ -105,4 +105,20 @@ public interface RegionServerObserver extends Coprocessor {
   void postRollBackMerge(final ObserverContext<RegionServerCoprocessorEnvironment> ctx,
       final HRegion regionA, final HRegion regionB) throws IOException;
 
+  /**
+   * This will be called before executing user request to roll a region server WAL.
+   * @param ctx An instance of ObserverContext
+   * @throws IOException Signals that an I/O exception has occurred.
+   */
+  void preRollWALWriterRequest(final ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException;
+
+  /**
+   * This will be called after executing user request to roll a region server WAL.
+   * @param ctx An instance of ObserverContext
+   * @throws IOException Signals that an I/O exception has occurred.
+   */
+  void postRollWALWriterRequest(final ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException;
+
 }
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java
index 3e15a2e8219..db9aecdb188 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java
@@ -1454,6 +1454,7 @@ public class RSRpcServices implements HBaseRPCErrorHandler,
     try {
       checkOpen();
       requestCount.increment();
+      regionServer.getRegionServerCoprocessorHost().preRollWALWriterRequest();
       HLog wal = regionServer.getWAL();
       byte[][] regionsToFlush = wal.rollWriter(true);
       RollWALWriterResponse.Builder builder = RollWALWriterResponse.newBuilder();
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
index 46d482c94ce..2a4d6353515 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
@@ -136,6 +136,26 @@ public class RegionServerCoprocessorHost extends
     });
   }
 
+  public void preRollWALWriterRequest() throws IOException {
+    execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+      @Override
+      public void call(RegionServerObserver oserver,
+          ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException {
+        oserver.preRollWALWriterRequest(ctx);
+      }
+    });
+  }
+
+  public void postRollWALWriterRequest() throws IOException {
+    execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+      @Override
+      public void call(RegionServerObserver oserver,
+          ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException {
+        oserver.postRollWALWriterRequest(ctx);
+      }
+    });
+  }
+
   private static abstract class CoprocessorOperation
       extends ObserverContext<RegionServerCoprocessorEnvironment> {
     public CoprocessorOperation() {
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 0ff004115d5..14aabc28409 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -2218,4 +2218,14 @@ public class AccessController extends BaseMasterAndRegionObserver
   @Override
   public void postRollBackMerge(ObserverContext<RegionServerCoprocessorEnvironment> ctx,
       HRegion regionA, HRegion regionB) throws IOException { }
+
+  @Override
+  public void preRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException {
+    requirePermission("preRollLogWriterRequest", Permission.Action.ADMIN);
+  }
+
+  @Override
+  public void postRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException { }
 }
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index e93ee7f8256..6b8bde482f3 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -1794,6 +1794,20 @@ public class TestAccessController extends SecureTestUtil {
     verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
   }
 
+  @Test
+  public void testRollWALWriterRequest() throws Exception {
+    AccessTestAction action = new AccessTestAction() {
+      @Override
+      public Object run() throws Exception {
+        ACCESS_CONTROLLER.preRollWALWriterRequest(ObserverContext.createAndPrepare(RSCP_ENV, null));
+        return null;
+      }
+    };
+
+    verifyAllowed(action, SUPERUSER, USER_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+  }
+
   @Test
   public void testOpenRegion() throws Exception {
     AccessTestAction action = new AccessTestAction() {