Repository: hbase Updated Branches: refs/heads/master 9abab54d8 -> a8766fd62
HBASE-12641 Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster (Liu Shaohui) Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/a8766fd6 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/a8766fd6 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/a8766fd6 Branch: refs/heads/master Commit: a8766fd623e5679b13600646ac2808e733f98d07 Parents: 9abab54 Author: stack <[email protected]> Authored: Sat Dec 27 21:11:57 2014 -0800 Committer: stack <[email protected]> Committed: Sat Dec 27 21:11:57 2014 -0800 ---------------------------------------------------------------------- .../apache/hadoop/hbase/zookeeper/ZKUtil.java | 20 +++++++++++++++++--- .../hbase/zookeeper/ZooKeeperWatcher.java | 5 ----- 2 files changed, 17 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/a8766fd6/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java ---------------------------------------------------------------------- diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java index da0d8b2..64f75c4 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java @@ -61,9 +61,11 @@ import org.apache.zookeeper.KeeperException.NoNodeException; import org.apache.zookeeper.Op; import org.apache.zookeeper.Watcher; import org.apache.zookeeper.ZooDefs.Ids; +import org.apache.zookeeper.ZooDefs.Perms; import org.apache.zookeeper.ZooKeeper; import org.apache.zookeeper.client.ZooKeeperSaslClient; import org.apache.zookeeper.data.ACL; +import org.apache.zookeeper.data.Id; import org.apache.zookeeper.data.Stat; import org.apache.zookeeper.proto.CreateRequest; import org.apache.zookeeper.proto.DeleteRequest; @@ -949,8 +951,17 @@ public class ZKUtil { conf.get("hbase.zookeeper.client.keytab.file") != null); } - private static List<ACL> createACL(ZooKeeperWatcher zkw, String node) { + private static ArrayList<ACL> createACL(ZooKeeperWatcher zkw, String node) { + if (!node.startsWith(zkw.baseZNode)) { + return Ids.OPEN_ACL_UNSAFE; + } if (isSecureZooKeeper(zkw.getConfiguration())) { + String superUser = zkw.getConfiguration().get("hbase.superuser"); + ArrayList<ACL> acls = new ArrayList<ACL>(); + // add permission to hbase supper user + if (superUser != null) { + acls.add(new ACL(Perms.ALL, new Id("auth", superUser))); + } // Certain znodes are accessed directly by the client, // so they must be readable by non-authenticated clients if ((node.equals(zkw.baseZNode) == true) || @@ -960,9 +971,12 @@ public class ZKUtil { (node.equals(zkw.rsZNode) == true) || (node.equals(zkw.backupMasterAddressesZNode) == true) || (node.startsWith(zkw.tableZNode) == true)) { - return ZooKeeperWatcher.CREATOR_ALL_AND_WORLD_READABLE; + acls.addAll(Ids.CREATOR_ALL_ACL); + acls.addAll(Ids.READ_ACL_UNSAFE); + } else { + acls.addAll(Ids.CREATOR_ALL_ACL); } - return Ids.CREATOR_ALL_ACL; + return acls; } else { return Ids.OPEN_ACL_UNSAFE; } http://git-wip-us.apache.org/repos/asf/hbase/blob/a8766fd6/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java ---------------------------------------------------------------------- diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java index 84bd9f8..f287a0e 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java @@ -111,11 +111,6 @@ public class ZooKeeperWatcher implements Watcher, Abortable, Closeable { public static String namespaceZNode = "namespace"; - // Certain ZooKeeper nodes need to be world-readable - public static final List<ACL> CREATOR_ALL_AND_WORLD_READABLE = - Arrays.asList(new ACL(ZooDefs.Perms.READ,ZooDefs.Ids.ANYONE_ID_UNSAFE), - new ACL(ZooDefs.Perms.ALL,ZooDefs.Ids.AUTH_IDS)); - private final Configuration conf; private final Exception constructorCaller;
