From 8c4baf6a8a459cf6d4732842db3d742b8e63e74c Mon Sep 17 00:00:00 2001 From: Andrew Purtell Date: Sun, 14 Sep 2014 20:29:24 -0700 Subject: [PATCH] HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das) --- .../apache/hadoop/hbase/security/User.java | 19 +++++++++++++++++++ .../security/access/AccessController.java | 17 +++++++++++++---- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java index 5abff9d8bba..fd12e476f35 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java @@ -164,6 +164,25 @@ public abstract class User { return user; } + /** + * Executes the given action as the login user + * @param action + * @return + * @throws IOException + * @throws InterruptedException + */ + @SuppressWarnings({ "rawtypes", "unchecked" }) + public static T runAsLoginUser(PrivilegedExceptionAction action) throws IOException { + try { + Class c = Class.forName("org.apache.hadoop.security.SecurityUtil"); + Class [] types = new Class[]{PrivilegedExceptionAction.class}; + Object[] args = new Object[]{action}; + return (T) Methods.call(c, null, "doAsLoginUser", types, args); + } catch (Throwable e) { + throw new IOException(e); + } + } + /** * Wraps an underlying {@code UserGroupInformation} instance. * @param ugi The base Hadoop user diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index fa87289616e..0ff004115d5 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -16,6 +16,7 @@ package org.apache.hadoop.hbase.security.access; import java.io.IOException; import java.net.InetAddress; +import java.security.PrivilegedExceptionAction; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -881,7 +882,7 @@ public class AccessController extends BaseMasterAndRegionObserver } @Override - public void postCreateTableHandler(ObserverContext c, + public void postCreateTableHandler(final ObserverContext c, HTableDescriptor desc, HRegionInfo[] regions) throws IOException { // When AC is used, it should be configured as the 1st CP. // In Master, the table operations like create, are handled by a Thread pool but the max size @@ -910,9 +911,17 @@ public class AccessController extends BaseMasterAndRegionObserver // default the table owner to current user, if not specified. if (owner == null) owner = getActiveUser().getShortName(); - UserPermission userperm = new UserPermission(Bytes.toBytes(owner), desc.getTableName(), - null, Action.values()); - AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), userperm); + final UserPermission userperm = new UserPermission(Bytes.toBytes(owner), + desc.getTableName(), null, Action.values()); + // switch to the real hbase master user for doing the RPC on the ACL table + User.runAsLoginUser(new PrivilegedExceptionAction() { + @Override + public Void run() throws Exception { + AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), + userperm); + return null; + } + }); } } }