Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das)

This commit is contained in:
Andrew Purtell 2014-09-14 20:29:24 -07:00
parent 4018e85611
commit 8c4baf6a8a
2 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
View File

@ -164,6 +164,25 @@ public abstract class User {
return user; return user;
} }
/**
* Executes the given action as the login user
* @param action
* @return
* @throws IOException
* @throws InterruptedException
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException {
try {
Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");
Class [] types = new Class[]{PrivilegedExceptionAction.class};
Object[] args = new Object[]{action};
return (T) Methods.call(c, null, "doAsLoginUser", types, args);
} catch (Throwable e) {
throw new IOException(e);
}
}
/** /**
* Wraps an underlying {@code UserGroupInformation} instance. * Wraps an underlying {@code UserGroupInformation} instance.
* @param ugi The base Hadoop user * @param ugi The base Hadoop user

17
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
View File

@ -16,6 +16,7 @@ package org.apache.hadoop.hbase.security.access;
import java.io.IOException; import java.io.IOException;
import java.net.InetAddress; import java.net.InetAddress;
import java.security.PrivilegedExceptionAction;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
@ -881,7 +882,7 @@ public class AccessController extends BaseMasterAndRegionObserver
} }
@Override @Override
public void postCreateTableHandler(ObserverContext<MasterCoprocessorEnvironment> c, public void postCreateTableHandler(final ObserverContext<MasterCoprocessorEnvironment> c,
HTableDescriptor desc, HRegionInfo[] regions) throws IOException { HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
// When AC is used, it should be configured as the 1st CP. // When AC is used, it should be configured as the 1st CP.
// In Master, the table operations like create, are handled by a Thread pool but the max size // In Master, the table operations like create, are handled by a Thread pool but the max size
@ -910,9 +911,17 @@ public class AccessController extends BaseMasterAndRegionObserver
// default the table owner to current user, if not specified. // default the table owner to current user, if not specified.
if (owner == null) if (owner == null)
owner = getActiveUser().getShortName(); owner = getActiveUser().getShortName();
UserPermission userperm = new UserPermission(Bytes.toBytes(owner), desc.getTableName(), final UserPermission userperm = new UserPermission(Bytes.toBytes(owner),
null, Action.values()); desc.getTableName(), null, Action.values());
AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), userperm); // switch to the real hbase master user for doing the RPC on the ACL table
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(),
userperm);
return null;
}
});
} }
} }
} }