HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das)

2014-09-14 20:29:24 -07:00 · 2014-09-14 20:29:24 -07:00 · 8c4baf6a8a
parent 4018e85611
commit 8c4baf6a8a
2 changed files with 32 additions and 4 deletions
--- a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
+++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
@ -164,6 +164,25 @@ public abstract class User {
    return user;
  }

+  /**
+   * Executes the given action as the login user
+   * @param action
+   * @return
+   * @throws IOException
+   * @throws InterruptedException
+   */
+  @SuppressWarnings({ "rawtypes", "unchecked" })
+  public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException {
+    try {
+      Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");
+      Class [] types = new Class[]{PrivilegedExceptionAction.class};
+      Object[] args = new Object[]{action};
+      return (T) Methods.call(c, null, "doAsLoginUser", types, args);
+    } catch (Throwable e) {
+      throw new IOException(e);
+    }
+  }
+
  /**
   * Wraps an underlying {@code UserGroupInformation} instance.
   * @param ugi The base Hadoop user
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@ -16,6 +16,7 @@ package org.apache.hadoop.hbase.security.access;

 import java.io.IOException;
 import java.net.InetAddress;
+import java.security.PrivilegedExceptionAction;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@ -881,7 +882,7 @@ public class AccessController extends BaseMasterAndRegionObserver
  }

  @Override
-  public void postCreateTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
+  public void postCreateTableHandler(final ObserverContext<MasterCoprocessorEnvironment> c,
      HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
    // When AC is used, it should be configured as the 1st CP.
    // In Master, the table operations like create, are handled by a Thread pool but the max size
@ -910,9 +911,17 @@ public class AccessController extends BaseMasterAndRegionObserver
        // default the table owner to current user, if not specified.
        if (owner == null)
          owner = getActiveUser().getShortName();
-        UserPermission userperm = new UserPermission(Bytes.toBytes(owner), desc.getTableName(),
-            null, Action.values());
-        AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), userperm);
+        final UserPermission userperm = new UserPermission(Bytes.toBytes(owner),
+            desc.getTableName(), null, Action.values());
+        // switch to the real hbase master user for doing the RPC on the ACL table
+        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
+          @Override
+          public Void run() throws Exception {
+            AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(),
+                userperm);
+            return null;
+          }
+        });
      }
    }
  }