HBASE-11136 Add permission check to roll WAL writer (Jerry He)

2014-09-15 16:24:57 +00:00 · 2014-09-15 16:24:57 +00:00 · 57477fe18c
parent 8c4baf6a8a
commit 57477fe18c
6 changed files with 69 additions and 0 deletions
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionServerObserver.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionServerObserver.java
@ -68,4 +68,12 @@ public class BaseRegionServerObserver implements RegionServerObserver {
  public void postRollBackMerge(ObserverContext<RegionServerCoprocessorEnvironment> ctx,
      HRegion regionA, HRegion regionB) throws IOException { }

+  @Override
+  public void preRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException { }
+
+  @Override
+  public void postRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException { }
+
 }
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionServerObserver.java
@ -105,4 +105,20 @@ public interface RegionServerObserver extends Coprocessor {
  void postRollBackMerge(final ObserverContext<RegionServerCoprocessorEnvironment> ctx,
      final HRegion regionA, final HRegion regionB) throws IOException;

+  /**
+   * This will be called before executing user request to roll a region server WAL.
+   * @param ctx An instance of ObserverContext
+   * @throws IOException Signals that an I/O exception has occurred.
+   */
+  void preRollWALWriterRequest(final ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException;
+
+  /**
+   * This will be called after executing user request to roll a region server WAL.
+   * @param ctx An instance of ObserverContext
+   * @throws IOException Signals that an I/O exception has occurred.
+   */
+  void postRollWALWriterRequest(final ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException;
+
 }
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java
@ -1454,6 +1454,7 @@ public class RSRpcServices implements HBaseRPCErrorHandler,
    try {
      checkOpen();
      requestCount.increment();
+      regionServer.getRegionServerCoprocessorHost().preRollWALWriterRequest();
      HLog wal = regionServer.getWAL();
      byte[][] regionsToFlush = wal.rollWriter(true);
      RollWALWriterResponse.Builder builder = RollWALWriterResponse.newBuilder();
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
@ -136,6 +136,26 @@ public class RegionServerCoprocessorHost extends
    });
  }

+  public void preRollWALWriterRequest() throws IOException {
+    execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+      @Override
+      public void call(RegionServerObserver oserver,
+          ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException {
+        oserver.preRollWALWriterRequest(ctx);
+      }
+    });
+  }
+
+  public void postRollWALWriterRequest() throws IOException {
+    execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+      @Override
+      public void call(RegionServerObserver oserver,
+          ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws IOException {
+        oserver.postRollWALWriterRequest(ctx);
+      }
+    });
+  }
+
  private static abstract class CoprocessorOperation
      extends ObserverContext<RegionServerCoprocessorEnvironment> {
    public CoprocessorOperation() {
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@ -2218,4 +2218,14 @@ public class AccessController extends BaseMasterAndRegionObserver
  @Override
  public void postRollBackMerge(ObserverContext<RegionServerCoprocessorEnvironment> ctx,
      HRegion regionA, HRegion regionB) throws IOException { }
+
+  @Override
+  public void preRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException {
+    requirePermission("preRollLogWriterRequest", Permission.Action.ADMIN);
+  }
+
+  @Override
+  public void postRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
+      throws IOException { }
 }
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@ -1794,6 +1794,20 @@ public class TestAccessController extends SecureTestUtil {
    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
  }

+  @Test
+  public void testRollWALWriterRequest() throws Exception {
+    AccessTestAction action = new AccessTestAction() {
+      @Override
+      public Object run() throws Exception {
+        ACCESS_CONTROLLER.preRollWALWriterRequest(ObserverContext.createAndPrepare(RSCP_ENV, null));
+        return null;
+      }
+    };
+
+    verifyAllowed(action, SUPERUSER, USER_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+  }
+
  @Test
  public void testOpenRegion() throws Exception {
    AccessTestAction action = new AccessTestAction() {