From a84233ae350ea921740d532cfdc2b79731f96555 Mon Sep 17 00:00:00 2001 From: Enis Soztutar Date: Mon, 26 Jan 2015 15:58:35 -0800 Subject: [PATCH] HBASE-12745 Visibility Labels: support visibility labels for user groups. (Addendum2 for BC between 0.98 and branch-1) (Anoop Sam John) --- .../visibility/VisibilityController.java | 33 ++++++++++++++++--- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java index 834dfb612a4..0fbef44856c 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java @@ -827,11 +827,21 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements + "' is not authorized to perform this action."); } if (AccessControlLists.isGroupPrincipal(Bytes.toString(user))) { + // For backward compatibility. Previous custom visibilityLabelService + // implementation may not have getGroupAuths + try { + this.visibilityLabelService.getClass().getDeclaredMethod("getGroupAuths", + new Class[] { String[].class, Boolean.TYPE }); + } catch (SecurityException e) { + throw new AccessDeniedException("Failed to obtain getGroupAuths implementation"); + } catch (NoSuchMethodException e) { + throw new AccessDeniedException( + "Get group auth is not supported in this implementation"); + } String group = AccessControlLists.getGroupName(Bytes.toString(user)); - labels = this.visibilityLabelService.getGroupAuths(new String[]{group}, false); - } - else { - labels = this.visibilityLabelService.getUserAuths(user, false); + labels = this.visibilityLabelService.getGroupAuths(new String[] { group }, false); + } else { + labels = this.visibilityLabelService.getAuths(user, false); } } catch (IOException e) { ResponseConverter.setControllerException(controller, e); @@ -926,7 +936,20 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements if (user == null) { throw new IOException("Unable to retrieve calling user"); } - if (!(this.visibilityLabelService.havingSystemAuth(user))) { + boolean havingSystemAuth = false; + try { + this.visibilityLabelService.getClass().getDeclaredMethod("havingSystemAuth", + new Class[] { User.class }); + havingSystemAuth = this.visibilityLabelService.havingSystemAuth(user); + } catch (SecurityException e) { + // Just consider this as AccessDeniedException + } catch (NoSuchMethodException e) { + // VLS not having havingSystemAuth(User) method. Go with deprecated havingSystemAuth(byte[]) + // method invoke + havingSystemAuth = this.visibilityLabelService.havingSystemAuth(Bytes.toBytes(user + .getShortName())); + } + if (!havingSystemAuth) { throw new AccessDeniedException("User '" + user.getShortName() + "' is not authorized to perform this action."); }