HBASE-12745 Visibility Labels: support visibility labels for user groups. (Addendum2 for BC between 0.98 and branch-1) (Anoop Sam John)

2015-01-26 15:58:35 -08:00 · 2015-01-26 15:58:35 -08:00 · a84233ae35
parent 5cee77a1f1
commit a84233ae35
1 changed files with 28 additions and 5 deletions
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java
@ -827,11 +827,21 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements
              + "' is not authorized to perform this action.");
        }
        if (AccessControlLists.isGroupPrincipal(Bytes.toString(user))) {
-          String group = AccessControlLists.getGroupName(Bytes.toString(user));
-          labels = this.visibilityLabelService.getGroupAuths(new String[]{group}, false);
+          // For backward compatibility. Previous custom visibilityLabelService
+          // implementation may not have getGroupAuths
+          try {
+            this.visibilityLabelService.getClass().getDeclaredMethod("getGroupAuths",
+                new Class[] { String[].class, Boolean.TYPE });
+          } catch (SecurityException e) {
+            throw new AccessDeniedException("Failed to obtain getGroupAuths implementation");
+          } catch (NoSuchMethodException e) {
+            throw new AccessDeniedException(
+                "Get group auth is not supported in this implementation");
          }
-        else {
-          labels = this.visibilityLabelService.getUserAuths(user, false);
+          String group = AccessControlLists.getGroupName(Bytes.toString(user));
+          labels = this.visibilityLabelService.getGroupAuths(new String[] { group }, false);
+        } else {
+          labels = this.visibilityLabelService.getAuths(user, false);
        }
      } catch (IOException e) {
        ResponseConverter.setControllerException(controller, e);
@ -926,7 +936,20 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements
      if (user == null) {
        throw new IOException("Unable to retrieve calling user");
      }
-      if (!(this.visibilityLabelService.havingSystemAuth(user))) {
+      boolean havingSystemAuth = false;
+      try {
+        this.visibilityLabelService.getClass().getDeclaredMethod("havingSystemAuth",
+            new Class[] { User.class });
+        havingSystemAuth = this.visibilityLabelService.havingSystemAuth(user);
+      } catch (SecurityException e) {
+        // Just consider this as AccessDeniedException
+      } catch (NoSuchMethodException e) {
+        // VLS not having havingSystemAuth(User) method. Go with deprecated havingSystemAuth(byte[])
+        // method invoke
+        havingSystemAuth = this.visibilityLabelService.havingSystemAuth(Bytes.toBytes(user
+            .getShortName()));
+      }
+      if (!havingSystemAuth) {
        throw new AccessDeniedException("User '" + user.getShortName()
            + "' is not authorized to perform this action.");
      }