HBASE-10161 [AccessController] Tolerate regions in recovery

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1552748 13f79535-47bb-0310-9956-ffa450edef68
2013-12-20 17:24:55 +00:00 · 2013-12-20 17:24:55 +00:00 · f9cb3d74c8
parent 25b72708a2
commit f9cb3d74c8
1 changed files with 31 additions and 1 deletions
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@ -153,6 +153,8 @@ public class AccessController extends BaseRegionObserver
  // flags if we are able to support cell ACLs
  boolean canPersistCellACLs;

+  private volatile boolean initialized = false;
+
  void initialize(RegionCoprocessorEnvironment e) throws IOException {
    final HRegion region = e.getRegion();
    Map<byte[], ListMultimap<String,TablePermission>> tables =
@ -166,6 +168,7 @@ public class AccessController extends BaseRegionObserver
      byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, e.getConfiguration());
      this.authManager.getZKPermissionWatcher().writeToZookeeper(entry, serialized);
    }
+    initialized = true;
  }

  /**
@ -1043,6 +1046,8 @@ public class AccessController extends BaseRegionObserver
    }
    if (AccessControlLists.isAclRegion(region)) {
      aclRegion = true;
+      // When this region is under recovering state, initialize will be handled by postLogReplay
+      if (!region.isRecovering()) {
        try {
          initialize(env);
        } catch (IOException ex) {
@ -1051,6 +1056,22 @@ public class AccessController extends BaseRegionObserver
          throw new RuntimeException("Failed to initialize permissions cache", ex);
        }
      }
+    } else {
+      initialized = true;
+    }
+  }
+
+  @Override
+  public void postLogReplay(ObserverContext<RegionCoprocessorEnvironment> c) {
+    if (aclRegion) {
+      try {
+        initialize(c.getEnvironment());
+      } catch (IOException ex) {
+        // if we can't obtain permissions, it's better to fail
+        // than perform checks incorrectly
+        throw new RuntimeException("Failed to initialize permissions cache", ex);
+      }
+    }
  }

  @Override
@ -1456,6 +1477,9 @@ public class AccessController extends BaseRegionObserver
    try {
      // verify it's only running at .acl.
      if (aclRegion) {
+        if (!initialized) {
+          throw new CoprocessorException("AccessController not yet initialized");
+        }
        if (LOG.isDebugEnabled()) {
          LOG.debug("Received request to grant access permission " + perm.toString());
        }
@ -1496,6 +1520,9 @@ public class AccessController extends BaseRegionObserver
    try {
      // only allowed to be called on _acl_ region
      if (aclRegion) {
+        if (!initialized) {
+          throw new CoprocessorException("AccessController not yet initialized");
+        }
        if (LOG.isDebugEnabled()) {
          LOG.debug("Received request to revoke access permission " + perm.toString());
        }
@ -1535,6 +1562,9 @@ public class AccessController extends BaseRegionObserver
    try {
      // only allowed to be called on _acl_ region
      if (aclRegion) {
+        if (!initialized) {
+          throw new CoprocessorException("AccessController not yet initialized");
+        }
        List<UserPermission> perms = null;
        if(request.getType() == AccessControlProtos.Permission.Type.Table) {
          TableName table = null;