Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/monitor/Monitor.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/monitor/Monitor.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/monitor/Monitor.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/monitor/Monitor.java Thu Jan 24 23:17:04 2013 @@ -41,6 +41,7 @@ import org.apache.accumulo.core.master.t import org.apache.accumulo.core.master.thrift.MasterMonitorInfo; import org.apache.accumulo.core.master.thrift.TableInfo; import org.apache.accumulo.core.master.thrift.TabletServerStatus; +import org.apache.accumulo.core.security.SecurityUtil; import org.apache.accumulo.core.util.CachedConfiguration; import org.apache.accumulo.core.util.Daemon; import org.apache.accumulo.core.util.LoggingRunnable; @@ -71,7 +72,6 @@ import org.apache.accumulo.server.monito import org.apache.accumulo.server.problems.ProblemReports; import org.apache.accumulo.server.problems.ProblemType; import org.apache.accumulo.server.security.SecurityConstants; -import org.apache.accumulo.server.security.SecurityUtil; import org.apache.accumulo.server.util.EmbeddedWebServer; import org.apache.hadoop.fs.FileSystem; import org.apache.log4j.Logger;
Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java Thu Jan 24 23:17:04 2013 @@ -44,16 +44,17 @@ public class AuditedSecurityOperation ex public AuditedSecurityOperation(Authorizor author, Authenticator authent, PermissionHandler pm, String instanceId) { super(author, authent, pm, instanceId); } - + public static final Logger log = Logger.getLogger(AuditedSecurityOperation.class); - public static synchronized SecurityOperation getInstance(String instanceId) { + public static synchronized SecurityOperation getInstance(String instanceId, boolean initialize) { if (instance == null) { - instance = new AuditedSecurityOperation(getAuthorizor(instanceId), getAuthenticator(instanceId), getPermHandler(instanceId), instanceId); + instance = new AuditedSecurityOperation(getAuthorizor(instanceId, initialize), getAuthenticator(instanceId, initialize), getPermHandler(instanceId, + initialize), instanceId); } return instance; } - + private void audit(InstanceTokenWrapper credentials, ThriftSecurityException ex, String template, Object... args) { log.log(AuditLevel.AUDIT, "Error: authenticated operation failed: " + credentials.getPrincipal() + ": " + String.format(template, args)); } @@ -76,7 +77,8 @@ public class AuditedSecurityOperation ex return result; } catch (ThriftSecurityException ex) { audit(credentials, ex, "authenticateUser"); - throw ex; + log.debug(ex); + throw ex; } } @@ -93,9 +95,10 @@ public class AuditedSecurityOperation ex return result; } catch (ThriftSecurityException ex) { audit(credentials, ex, "getting authorizations for %s", user); + log.debug(ex); throw ex; } - + } /** @@ -104,7 +107,12 @@ public class AuditedSecurityOperation ex * @throws ThriftSecurityException */ public Authorizations getUserAuthorizations(InstanceTokenWrapper credentials) throws ThriftSecurityException { - return getUserAuthorizations(credentials, credentials.getPrincipal()); + try { + return getUserAuthorizations(credentials, credentials.getPrincipal()); + } catch (ThriftSecurityException ex) { + log.debug(ex); + throw ex; + } } /** @@ -119,7 +127,8 @@ public class AuditedSecurityOperation ex audit(credentials, "changed authorizations for %s to %s", user, authorizations); } catch (ThriftSecurityException ex) { audit(credentials, ex, "changing authorizations for %s", user); - throw ex; + log.debug(ex); + throw ex; } } @@ -135,7 +144,8 @@ public class AuditedSecurityOperation ex audit(credentials, "changed password for %s", token.getPrincipal()); } catch (ThriftSecurityException ex) { audit(credentials, ex, "changing password for %s", token.getPrincipal()); - throw ex; + log.debug(ex); + throw ex; } } @@ -152,7 +162,8 @@ public class AuditedSecurityOperation ex audit(credentials, "createUser"); } catch (ThriftSecurityException ex) { audit(credentials, ex, "createUser %s", token.getPrincipal()); - throw ex; + log.debug(ex); + throw ex; } } @@ -167,7 +178,8 @@ public class AuditedSecurityOperation ex audit(credentials, "dropUser"); } catch (ThriftSecurityException ex) { audit(credentials, ex, "dropUser %s", user); - throw ex; + log.debug(ex); + throw ex; } } @@ -183,6 +195,7 @@ public class AuditedSecurityOperation ex audit(credentials, "granted permission %s for %s", permission, user); } catch (ThriftSecurityException ex) { audit(credentials, ex, "granting permission %s for %s", permission, user); + log.debug(ex); throw ex; } } @@ -200,6 +213,7 @@ public class AuditedSecurityOperation ex audit(credentials, "granted permission %s on table %s for %s", permission, table, user); } catch (ThriftSecurityException ex) { audit(credentials, ex, "granting permission %s on table for %s", permission, table, user); + log.debug(ex); throw ex; } } @@ -216,6 +230,7 @@ public class AuditedSecurityOperation ex audit(credentials, "revoked permission %s for %s", permission, user); } catch (ThriftSecurityException ex) { audit(credentials, ex, "revoking permission %s on %s", permission, user); + log.debug(ex); throw ex; } } @@ -233,6 +248,7 @@ public class AuditedSecurityOperation ex audit(credentials, "revoked permission %s on table %s for %s", permission, table, user); } catch (ThriftSecurityException ex) { audit(credentials, ex, "revoking permission %s on table for %s", permission, table, user); + log.debug(ex); throw ex; } } @@ -251,6 +267,7 @@ public class AuditedSecurityOperation ex return result; } catch (ThriftSecurityException ex) { audit(credentials, ex, "checking permission %s on %s", permission, user); + log.debug(ex); throw ex; } } @@ -270,6 +287,7 @@ public class AuditedSecurityOperation ex return result; } catch (ThriftSecurityException ex) { audit(credentials, ex, "checking permission %s on %s", permission, user); + log.debug(ex); throw ex; } } @@ -286,6 +304,7 @@ public class AuditedSecurityOperation ex return result; } catch (ThriftSecurityException ex) { audit(credentials, ex, "listUsers"); + log.debug(ex); throw ex; } } @@ -301,13 +320,14 @@ public class AuditedSecurityOperation ex audit(credentials, "deleted table %s", table); } catch (ThriftSecurityException ex) { audit(credentials, ex, "deleting table %s", table); - throw ex; + log.debug(ex); + throw ex; } } - + @Override public void initializeSecurity(InstanceTokenWrapper credentials, AccumuloToken<?,?> token) throws AccumuloSecurityException, ThriftSecurityException { super.initializeSecurity(credentials, token); - log.info("Initialized root user with username: " + token.getPrincipal()+ " at the request of user " + credentials.getPrincipal()); + log.info("Initialized root user with username: " + token.getPrincipal() + " at the request of user " + credentials.getPrincipal()); } } Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java Thu Jan 24 23:17:04 2013 @@ -55,44 +55,43 @@ public class SecurityOperation { private static String rootUserName = null; private final ZooCache zooCache; private final String ZKUserPath; - - private String instanceId; protected static SecurityOperation instance; public static synchronized SecurityOperation getInstance() { String instanceId = HdfsZooInstance.getInstance().getInstanceID(); - return getInstance(instanceId); + return getInstance(instanceId, false); } - public static synchronized SecurityOperation getInstance(String instanceId) { + public static synchronized SecurityOperation getInstance(String instanceId, boolean initialize) { if (instance == null) { - instance = new SecurityOperation(getAuthorizor(instanceId), getAuthenticator(instanceId), getPermHandler(instanceId), instanceId); + instance = new SecurityOperation(getAuthorizor(instanceId, initialize), getAuthenticator(instanceId, initialize), getPermHandler(instanceId, initialize), + instanceId); } return instance; } @SuppressWarnings("deprecation") - protected static Authorizor getAuthorizor(String instanceId) { + protected static Authorizor getAuthorizor(String instanceId, boolean initialize) { Authorizor toRet = Master.createInstanceFromPropertyName(AccumuloConfiguration.getSiteConfiguration(), Property.INSTANCE_SECURITY_AUTHORIZOR, Authorizor.class, ZKAuthorizor.getInstance()); - toRet.initialize(instanceId); + toRet.initialize(instanceId, initialize); return toRet; } @SuppressWarnings("deprecation") - protected static Authenticator getAuthenticator(String instanceId) { + protected static Authenticator getAuthenticator(String instanceId, boolean initialize) { Authenticator toRet = Master.createInstanceFromPropertyName(AccumuloConfiguration.getSiteConfiguration(), Property.INSTANCE_SECURITY_AUTHENTICATOR, Authenticator.class, ZKAuthenticator.getInstance()); - toRet.initialize(instanceId); + toRet.initialize(instanceId, initialize); return toRet; } @SuppressWarnings("deprecation") - protected static PermissionHandler getPermHandler(String instanceId) { + protected static PermissionHandler getPermHandler(String instanceId, boolean initialize) { PermissionHandler toRet = Master.createInstanceFromPropertyName(AccumuloConfiguration.getSiteConfiguration(), Property.INSTANCE_SECURITY_PERMISSION_HANDLER, PermissionHandler.class, ZKPermHandler.getInstance()); - toRet.initialize(instanceId); + toRet.initialize(instanceId, initialize); return toRet; } @@ -101,7 +100,6 @@ public class SecurityOperation { * @Deprecated not for client use */ public SecurityOperation(String instanceId) { - this.instanceId = instanceId; ZKUserPath = Constants.ZROOT + "/" + instanceId + "/users"; zooCache = new ZooCache(); } @@ -145,19 +143,18 @@ public class SecurityOperation { if (!credentials.getInstance().equals(HdfsZooInstance.getInstance().getInstanceID())) throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.INVALID_INSTANCEID); - if (credentials.getPrincipal().equals(SecurityConstants.SYSTEM_USERNAME)) { - if (SecurityConstants.getSystemCredentials().getToken().equals(credentials.getToken()) - && instanceId.equals(SecurityConstants.getSystemCredentials().getInstance())) - return; - else - throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS); + if (SecurityConstants.getSystemCredentials().equals(credentials)) + return; + else if (credentials.getPrincipal().equals(SecurityConstants.SYSTEM_USERNAME)) { + throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS); } - + try { if (!authenticator.authenticateUser(credentials.getToken())) { throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS); } } catch (AccumuloSecurityException e) { + log.debug(e); throw e.asThriftException(); } } @@ -178,11 +175,14 @@ public class SecurityOperation { */ public boolean authenticateUser(InstanceTokenWrapper credentials, AccumuloToken<?,?> token) throws ThriftSecurityException { canAskAboutUser(credentials, token.getPrincipal()); + // User is already authenticated from canAskAboutUser, this gets around issues with !SYSTEM user + if (credentials.getToken().equals(token)) + return true; try { return authenticator.authenticateUser(token); } catch (AccumuloSecurityException e) { throw e.asThriftException(); - } + } } /** @@ -282,8 +282,12 @@ public class SecurityOperation { if (user.equals(SecurityConstants.SYSTEM_USERNAME) || user.equals(getRootUsername())) return; - if (!authenticator.userExists(user)) - throw new ThriftSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST); + try { + if (!authenticator.userExists(user)) + throw new ThriftSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST); + } catch (AccumuloSecurityException e) { + throw e.asThriftException(); + } } /** Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authenticator.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authenticator.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authenticator.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authenticator.java Thu Jan 24 23:17:04 2013 @@ -30,7 +30,7 @@ import org.apache.accumulo.core.security public interface Authenticator { - public void initialize(String instanceId); + public void initialize(String instanceId, boolean initialize); public boolean validSecurityHandlers(Authorizor auth, PermissionHandler pm); @@ -46,7 +46,7 @@ public interface Authenticator { public void changePassword(AccumuloToken<?,?> user) throws AccumuloSecurityException; - public boolean userExists(String user); + public boolean userExists(String user) throws AccumuloSecurityException; public String getTokenClassName(); } Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authorizor.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authorizor.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authorizor.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authorizor.java Thu Jan 24 23:17:04 2013 @@ -31,7 +31,7 @@ public interface Authorizor { * * @param instanceId */ - public void initialize(String instanceId); + public void initialize(String instanceId, boolean initialize); /** * Used to validate that the Authorizor, Authenticator, and permission handler can coexist Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecureAuthenticator.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecureAuthenticator.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecureAuthenticator.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecureAuthenticator.java Thu Jan 24 23:17:04 2013 @@ -33,7 +33,7 @@ public class InsecureAuthenticator imple * @see org.apache.accumulo.server.security.handler.Authenticator#initialize(java.lang.String) */ @Override - public void initialize(String instanceId) { + public void initialize(String instanceId, boolean initialize) { return; } Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecurePermHandler.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecurePermHandler.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecurePermHandler.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecurePermHandler.java Thu Jan 24 23:17:04 2013 @@ -31,7 +31,7 @@ public class InsecurePermHandler impleme * @see org.apache.accumulo.server.security.handler.PermissionHandler#initialize(java.lang.String) */ @Override - public void initialize(String instanceId) { + public void initialize(String instanceId, boolean initialize) { return; } Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/PermissionHandler.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/PermissionHandler.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/PermissionHandler.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/PermissionHandler.java Thu Jan 24 23:17:04 2013 @@ -33,7 +33,7 @@ public interface PermissionHandler { * * @param instanceId */ - public void initialize(String instanceId); + public void initialize(String instanceId, boolean initialize); /** * Used to validate that the Authorizor, Authenticator, and permission handler can coexist Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthenticator.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthenticator.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthenticator.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthenticator.java Thu Jan 24 23:17:04 2013 @@ -52,7 +52,7 @@ public final class ZKAuthenticator imple zooCache = new ZooCache(); } - public void initialize(String instanceId) { + public void initialize(String instanceId, boolean initialize) { ZKUserPath = Constants.ZROOT + "/" + instanceId + "/users"; } Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthorizor.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthorizor.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthorizor.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthorizor.java Thu Jan 24 23:17:04 2013 @@ -40,9 +40,9 @@ import org.apache.zookeeper.KeeperExcept public class ZKAuthorizor implements Authorizor { private static final Logger log = Logger.getLogger(ZKAuthorizor.class); private static Authorizor zkAuthorizorInstance = null; - + private final String ZKUserAuths = "/Authorizations"; - + private String ZKUserPath; private final ZooCache zooCache; @@ -51,22 +51,22 @@ public class ZKAuthorizor implements Aut zkAuthorizorInstance = new ZKAuthorizor(); return zkAuthorizorInstance; } - + public ZKAuthorizor() { zooCache = new ZooCache(); } - public void initialize(String instanceId) { + public void initialize(String instanceId, boolean initialize) { ZKUserPath = ZKSecurityTool.getInstancePath(instanceId) + "/users"; } - + public Authorizations getCachedUserAuthorizations(String user) { byte[] authsBytes = zooCache.get(ZKUserPath + "/" + user + ZKUserAuths); if (authsBytes != null) return ZKSecurityTool.convertAuthorizations(authsBytes); return Constants.NO_AUTHS; } - + @Override public boolean validSecurityHandlers(Authenticator auth, PermissionHandler pm) { return true; @@ -75,7 +75,7 @@ public class ZKAuthorizor implements Aut @Override public void initializeSecurity(InstanceTokenWrapper itw, String rootuser) throws AccumuloSecurityException { IZooReaderWriter zoo = ZooReaderWriter.getRetryingInstance(); - + // create the root user with all system privileges, no table privileges, and no record-level authorizations Set<SystemPermission> rootPerms = new TreeSet<SystemPermission>(); for (SystemPermission p : SystemPermission.values()) @@ -85,6 +85,10 @@ public class ZKAuthorizor implements Aut tablePerms.put(Constants.METADATA_TABLE_ID, Collections.singleton(TablePermission.ALTER_TABLE)); try { + // prep parent node of users with root username + if (!zoo.exists(ZKUserPath)) + zoo.putPersistentData(ZKUserPath, rootuser.getBytes(), NodeExistsPolicy.FAIL); + initUser(rootuser); zoo.putPersistentData(ZKUserPath + "/" + rootuser + ZKUserAuths, ZKSecurityTool.convertAuthorizations(Constants.NO_AUTHS), NodeExistsPolicy.FAIL); } catch (KeeperException e) { @@ -149,5 +153,5 @@ public class ZKAuthorizor implements Aut throw new RuntimeException(e); } } - + } Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKPermHandler.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKPermHandler.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKPermHandler.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKPermHandler.java Thu Jan 24 23:17:04 2013 @@ -50,21 +50,21 @@ public class ZKPermHandler implements Pe private final ZooCache zooCache; private final String ZKUserSysPerms = "/System"; private final String ZKUserTablePerms = "/Tables"; - + public static synchronized PermissionHandler getInstance() { if (zkPermHandlerInstance == null) zkPermHandlerInstance = new ZKPermHandler(); return zkPermHandlerInstance; } - - public void initialize(String instanceId) { + + public void initialize(String instanceId, boolean initialize) { ZKUserPath = ZKSecurityTool.getInstancePath(instanceId) + "/users"; } - + public ZKPermHandler() { zooCache = new ZooCache(); } - + @Override public boolean hasTablePermission(String user, String table, TablePermission permission) { byte[] serializedPerms; @@ -94,7 +94,7 @@ public class ZKPermHandler implements Pe } return false; } - + @Override public void grantSystemPermission(String user, SystemPermission permission) throws AccumuloSecurityException { try { @@ -235,6 +235,10 @@ public class ZKPermHandler implements Pe tablePerms.put(Constants.METADATA_TABLE_ID, Collections.singleton(TablePermission.ALTER_TABLE)); try { + // prep parent node of users with root username + if (!zoo.exists(ZKUserPath)) + zoo.putPersistentData(ZKUserPath, rootuser.getBytes(), NodeExistsPolicy.FAIL); + initUser(rootuser); zoo.putPersistentData(ZKUserPath + "/" + rootuser + ZKUserSysPerms, ZKSecurityTool.convertSystemPermissions(rootPerms), NodeExistsPolicy.FAIL); for (Entry<String,Set<TablePermission>> entry : tablePerms.entrySet()) @@ -265,7 +269,7 @@ public class ZKPermHandler implements Pe throw new RuntimeException(e); } } - + /** * Sets up a new table configuration for the provided user/table. No checking for existence is done here, it should be done before calling. */ @@ -331,7 +335,7 @@ public class ZKPermHandler implements Pe public boolean validSecurityHandlers(Authenticator authent, Authorizor author) { return true; } - + @Override public void initTable(String table) throws AccumuloSecurityException { // All proper housekeeping is done on delete and permission granting, no work needs to be done here Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java Thu Jan 24 23:17:04 2013 @@ -106,6 +106,7 @@ import org.apache.accumulo.core.master.t import org.apache.accumulo.core.master.thrift.TabletLoadState; import org.apache.accumulo.core.master.thrift.TabletServerStatus; import org.apache.accumulo.core.security.Authorizations; +import org.apache.accumulo.core.security.SecurityUtil; import org.apache.accumulo.core.security.thrift.SecurityErrorCode; import org.apache.accumulo.core.security.thrift.ThriftInstanceTokenWrapper; import org.apache.accumulo.core.security.thrift.ThriftSecurityException; @@ -159,7 +160,6 @@ import org.apache.accumulo.server.proble import org.apache.accumulo.server.security.AuditedSecurityOperation; import org.apache.accumulo.server.security.SecurityConstants; import org.apache.accumulo.server.security.SecurityOperation; -import org.apache.accumulo.server.security.SecurityUtil; import org.apache.accumulo.server.tabletserver.Compactor.CompactionInfo; import org.apache.accumulo.server.tabletserver.Tablet.CommitSession; import org.apache.accumulo.server.tabletserver.Tablet.KVEntry; @@ -718,7 +718,7 @@ public class TabletServer extends Abstra public Tablet currentTablet; public MapCounter<Tablet> successfulCommits = new MapCounter<Tablet>(); Map<KeyExtent,Long> failures = new HashMap<KeyExtent,Long>(); - HashMap<KeyExtent, SecurityErrorCode> authFailures = new HashMap<KeyExtent, SecurityErrorCode>(); + HashMap<KeyExtent,SecurityErrorCode> authFailures = new HashMap<KeyExtent,SecurityErrorCode>(); public Violations violations; public InstanceTokenWrapper credentials; public long totalUpdates = 0; @@ -1255,7 +1255,7 @@ public class TabletServer extends Abstra tables.add(new String(keyExtent.getTable())); } InstanceTokenWrapper itw = new InstanceTokenWrapper(credentials); - + // check if user has permission to the tables Authorizations userauths = null; for (String table : tables) @@ -1375,7 +1375,7 @@ public class TabletServer extends Abstra public long startUpdate(TInfo tinfo, ThriftInstanceTokenWrapper credentials) throws ThriftSecurityException { // Make sure user is real InstanceTokenWrapper itw = new InstanceTokenWrapper(credentials); - + security.authenticateUser(itw, itw.getToken()); if (updateMetrics.isEnabled()) updateMetrics.add(TabletServerUpdateMetrics.permissionErrors, 0); @@ -1641,17 +1641,16 @@ public class TabletServer extends Abstra log.debug(String.format("Authentication Failures: %d, first %s", us.authFailures.size(), first.toString())); } - return new UpdateErrors(Translator.translate(us.failures, Translator.KET), Translator.translate(violations, Translator.CVST), Translator.translate(us.authFailures, Translator.KET)); + return new UpdateErrors(Translator.translate(us.failures, Translator.KET), Translator.translate(violations, Translator.CVST), Translator.translate( + us.authFailures, Translator.KET)); } @Override public void update(TInfo tinfo, ThriftInstanceTokenWrapper credentials, TKeyExtent tkeyExtent, TMutation tmutation) throws NotServingTabletException, ConstraintViolationException, ThriftSecurityException { InstanceTokenWrapper itw = new InstanceTokenWrapper(credentials); - if (!security.canWrite(itw, new String(tkeyExtent.getTable()))) throw new ThriftSecurityException(itw.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED); - KeyExtent keyExtent = new KeyExtent(tkeyExtent); Tablet tablet = onlineTablets.get(new KeyExtent(keyExtent)); if (tablet == null) { @@ -1696,10 +1695,10 @@ public class TabletServer extends Abstra } @Override - public void splitTablet(TInfo tinfo, ThriftInstanceTokenWrapper credentials, TKeyExtent tkeyExtent, ByteBuffer splitPoint) throws NotServingTabletException, - ThriftSecurityException { + public void splitTablet(TInfo tinfo, ThriftInstanceTokenWrapper credentials, TKeyExtent tkeyExtent, ByteBuffer splitPoint) + throws NotServingTabletException, ThriftSecurityException { InstanceTokenWrapper itw = new InstanceTokenWrapper(credentials); - + String tableId = new String(ByteBufferUtil.toBytes(tkeyExtent.table)); if (!security.canSplitTablet(itw, tableId)) throw new ThriftSecurityException(itw.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED); @@ -1755,7 +1754,8 @@ public class TabletServer extends Abstra private ZooCache masterLockCache = new ZooCache(); - private void checkPermission(InstanceTokenWrapper credentials, String lock, boolean requiresSystemPermission, final String request) throws ThriftSecurityException { + private void checkPermission(InstanceTokenWrapper credentials, String lock, boolean requiresSystemPermission, final String request) + throws ThriftSecurityException { if (requiresSystemPermission) { boolean fatal = false; try { @@ -1820,7 +1820,7 @@ public class TabletServer extends Abstra @Override public void loadTablet(TInfo tinfo, ThriftInstanceTokenWrapper credentials, String lock, final TKeyExtent textent) { InstanceTokenWrapper itw = new InstanceTokenWrapper(credentials); - + try { checkPermission(itw, lock, true, "loadTablet"); } catch (ThriftSecurityException e) { @@ -2019,7 +2019,8 @@ public class TabletServer extends Abstra } @Override - public void compact(TInfo tinfo, ThriftInstanceTokenWrapper credentials, String lock, String tableId, ByteBuffer startRow, ByteBuffer endRow) throws TException { + public void compact(TInfo tinfo, ThriftInstanceTokenWrapper credentials, String lock, String tableId, ByteBuffer startRow, ByteBuffer endRow) + throws TException { try { checkPermission(new InstanceTokenWrapper(credentials), lock, true, "compact"); } catch (ThriftSecurityException e) { @@ -2050,9 +2051,9 @@ public class TabletServer extends Abstra } tablet.compactAll(compactionId); } - + } - + /* * (non-Javadoc) * @@ -3070,7 +3071,7 @@ public class TabletServer extends Abstra String uris = null; boolean preDelegate = true; - + Iterator<Entry<String,String>> iter = getSystemConfiguration().iterator(); while (iter.hasNext()) { Entry<String,String> entry = iter.next(); @@ -3085,7 +3086,7 @@ public class TabletServer extends Abstra if (uris != null) return new ContextConfig(uris, preDelegate); - + return null; } }); Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/randomwalk/security/WalkingSecurity.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/randomwalk/security/WalkingSecurity.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/randomwalk/security/WalkingSecurity.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/randomwalk/security/WalkingSecurity.java Thu Jan 24 23:17:04 2013 @@ -88,7 +88,7 @@ public class WalkingSecurity extends Sec } @Override - public void initialize(String instanceId) { + public void initialize(String instanceId, boolean initialize) { throw new UnsupportedOperationException("nope"); } Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/trace/TraceServer.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/trace/TraceServer.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/trace/TraceServer.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/trace/TraceServer.java Thu Jan 24 23:17:04 2013 @@ -37,6 +37,7 @@ import org.apache.accumulo.core.conf.Pro import org.apache.accumulo.core.data.Mutation; import org.apache.accumulo.core.data.Value; import org.apache.accumulo.core.file.FileUtil; +import org.apache.accumulo.core.security.SecurityUtil; import org.apache.accumulo.core.trace.TraceFormatter; import org.apache.accumulo.core.util.AddressUtil; import org.apache.accumulo.core.util.CachedConfiguration; @@ -46,7 +47,6 @@ import org.apache.accumulo.fate.zookeepe import org.apache.accumulo.server.Accumulo; import org.apache.accumulo.server.client.HdfsZooInstance; import org.apache.accumulo.server.conf.ServerConfiguration; -import org.apache.accumulo.server.security.SecurityUtil; import org.apache.accumulo.server.util.time.SimpleTimer; import org.apache.accumulo.server.zookeeper.ZooReaderWriter; import org.apache.hadoop.fs.FileSystem; Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/util/Initialize.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/util/Initialize.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/util/Initialize.java (original) +++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/util/Initialize.java Thu Jan 24 23:17:04 2013 @@ -39,6 +39,7 @@ import org.apache.accumulo.core.file.Fil import org.apache.accumulo.core.iterators.user.VersioningIterator; import org.apache.accumulo.core.master.state.tables.TableState; import org.apache.accumulo.core.master.thrift.MasterGoalState; +import org.apache.accumulo.core.security.SecurityUtil; import org.apache.accumulo.core.security.thrift.ThriftSecurityException; import org.apache.accumulo.core.security.tokens.UserPassToken; import org.apache.accumulo.core.util.CachedConfiguration; @@ -54,7 +55,6 @@ import org.apache.accumulo.server.iterat import org.apache.accumulo.server.master.state.tables.TableManager; import org.apache.accumulo.server.security.AuditedSecurityOperation; import org.apache.accumulo.server.security.SecurityConstants; -import org.apache.accumulo.server.security.SecurityUtil; import org.apache.accumulo.server.tabletserver.TabletTime; import org.apache.accumulo.server.zookeeper.ZooReaderWriter; import org.apache.hadoop.conf.Configuration; @@ -74,7 +74,7 @@ import com.beust.jcommander.Parameter; */ public class Initialize { private static final Logger log = Logger.getLogger(Initialize.class); - private static final String ROOT_USER = "root"; + private static final String DEFAULT_ROOT_USER = "root"; private static ConsoleReader reader = null; @@ -159,6 +159,7 @@ public class Initialize { log.fatal("Failed to talk to zookeeper", e); return false; } + opts.rootuser = getRootUser(opts); opts.rootpass = getRootPassword(opts); return initialize(opts, instanceNamePath, fs); } @@ -402,6 +403,19 @@ public class Initialize { return instanceNamePath; } + private static String getRootUser(Opts opts) throws IOException { + if (opts.cliUser != null) { + return opts.cliUser; + } + String rootuser; + rootuser = getConsoleReader().readLine("Enter name for initial root user ( " + DEFAULT_ROOT_USER + "): ", '*'); + if (rootuser == null) + System.exit(0); + if (rootuser.equals("")) + return DEFAULT_ROOT_USER; + return rootuser; + } + private static byte[] getRootPassword(Opts opts) throws IOException { if (opts.cliPassword != null) { return opts.cliPassword.getBytes(); @@ -409,10 +423,10 @@ public class Initialize { String rootpass; String confirmpass; do { - rootpass = getConsoleReader().readLine("Enter initial password for " + ROOT_USER + ": ", '*'); + rootpass = getConsoleReader().readLine("Enter initial password for " + opts.rootuser + " (this may not be applicable for your security setup): ", '*'); if (rootpass == null) System.exit(0); - confirmpass = getConsoleReader().readLine("Confirm initial password for " + ROOT_USER + ": ", '*'); + confirmpass = getConsoleReader().readLine("Confirm initial password for " + opts.rootuser + ": ", '*'); if (confirmpass == null) System.exit(0); if (!rootpass.equals(confirmpass)) @@ -422,7 +436,7 @@ public class Initialize { } private static void initSecurity(Opts opts, String iid) throws AccumuloSecurityException, ThriftSecurityException { - AuditedSecurityOperation.getInstance(iid).initializeSecurity(SecurityConstants.getSystemCredentials(), new UserPassToken(ROOT_USER, opts.rootpass)); + AuditedSecurityOperation.getInstance(iid, true).initializeSecurity(SecurityConstants.getSystemCredentials(), new UserPassToken(opts.rootuser, opts.rootpass)); } protected static void initMetadataConfig() throws IOException { @@ -447,7 +461,7 @@ public class Initialize { private static void setMetadataReplication(int replication, String reason) throws IOException { String rep = getConsoleReader().readLine( "Your HDFS replication " + reason - + " is not compatible with our default !METADATA replication of 5. What do you want to set your !METADATA replication to? (" + replication + ") "); + + " is not compatible with our default !METADATA replication of 5. What do you want to set your !METADATA replication to? (" + replication + ") "); if (rep == null || rep.length() == 0) rep = Integer.toString(replication); else @@ -469,8 +483,11 @@ public class Initialize { String cliInstanceName; @Parameter(names = "--password", description = "set the password on the command line") String cliPassword; + @Parameter(names = "--username", description = "set the root username on the command line") + String cliUser; byte[] rootpass = null; + String rootuser = null; } public static void main(String[] args) { @@ -487,6 +504,7 @@ public class Initialize { if (justSecurity) { if (isInitialized(fs)) { + opts.rootuser = getRootUser(opts); opts.rootpass = getRootPassword(opts); initSecurity(opts, HdfsZooInstance.getInstance().getInstanceID()); } else { Modified: accumulo/branches/ACCUMULO-259/test/src/main/java/org/apache/accumulo/test/MiniAccumuloCluster.java URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/test/src/main/java/org/apache/accumulo/test/MiniAccumuloCluster.java?rev=1438259&r1=1438258&r2=1438259&view=diff ============================================================================== --- accumulo/branches/ACCUMULO-259/test/src/main/java/org/apache/accumulo/test/MiniAccumuloCluster.java (original) +++ accumulo/branches/ACCUMULO-259/test/src/main/java/org/apache/accumulo/test/MiniAccumuloCluster.java Thu Jan 24 23:17:04 2013 @@ -310,7 +310,7 @@ public class MiniAccumuloCluster { // sleep a little bit to let zookeeper come up before calling init, seems to work better UtilWaitThread.sleep(250); - Process initProcess = exec(Initialize.class, "--instance-name", INSTANCE_NAME, "--password", config.getRootPassword()); + Process initProcess = exec(Initialize.class, "--instance-name", INSTANCE_NAME, "--password", config.getRootPassword(), "--username", "root"); int ret = initProcess.waitFor(); if (ret != 0) { throw new RuntimeException("Initialize process returned " + ret);
