Repository: hbase
Updated Branches:
refs/heads/0.98 74f303ba2 -> efc49a745
HBASE-12641 Grant all permissions of hbase zookeeper node to hbase superuser in
a secure cluster (Liu Shaohui)
Conflicts:
hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/efc49a74
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/efc49a74
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/efc49a74
Branch: refs/heads/0.98
Commit: efc49a745fa198e8f5ed9abe76392e6fff836d75
Parents: 74f303b
Author: stack <[email protected]>
Authored: Sat Dec 27 21:11:57 2014 -0800
Committer: Andrew Purtell <[email protected]>
Committed: Thu Jan 1 23:41:41 2015 -0800
----------------------------------------------------------------------
.../apache/hadoop/hbase/zookeeper/ZKUtil.java | 24 ++++++++++++++++----
.../hbase/zookeeper/ZooKeeperWatcher.java | 1 -
2 files changed, 19 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/efc49a74/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git
a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index e11ee30..a26a66e 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -61,9 +61,11 @@ import org.apache.zookeeper.KeeperException.NoNodeException;
import org.apache.zookeeper.Op;
import org.apache.zookeeper.Watcher;
import org.apache.zookeeper.ZooDefs.Ids;
+import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.client.ZooKeeperSaslClient;
import org.apache.zookeeper.data.ACL;
+import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.apache.zookeeper.proto.CreateRequest;
import org.apache.zookeeper.proto.DeleteRequest;
@@ -955,7 +957,16 @@ public class ZKUtil {
}
private static ArrayList<ACL> createACL(ZooKeeperWatcher zkw, String node) {
+ if (!node.startsWith(zkw.baseZNode)) {
+ return Ids.OPEN_ACL_UNSAFE;
+ }
if (isSecureZooKeeper(zkw.getConfiguration())) {
+ String superUser = zkw.getConfiguration().get("hbase.superuser");
+ ArrayList<ACL> acls = new ArrayList<ACL>();
+ // add permission to hbase supper user
+ if (superUser != null) {
+ acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
+ }
// Certain znodes are accessed directly by the client,
// so they must be readable by non-authenticated clients
if ((node.equals(zkw.baseZNode) == true) ||
@@ -966,9 +977,12 @@ public class ZKUtil {
(node.equals(zkw.backupMasterAddressesZNode) == true) ||
(node.startsWith(zkw.assignmentZNode) == true) ||
(node.startsWith(zkw.tableZNode) == true)) {
- return ZooKeeperWatcher.CREATOR_ALL_AND_WORLD_READABLE;
+ acls.addAll(Ids.CREATOR_ALL_ACL);
+ acls.addAll(Ids.READ_ACL_UNSAFE);
+ } else {
+ acls.addAll(Ids.CREATOR_ALL_ACL);
}
- return Ids.CREATOR_ALL_ACL;
+ return acls;
} else {
return Ids.OPEN_ACL_UNSAFE;
}
@@ -1324,8 +1338,8 @@ public class ZKUtil {
deleteNodeRecursively(zkw, joinZNode(node, child));
}
}
- //Zookeeper Watches are one time triggers; When children of parent nodes
are deleted recursively.
- //Must set another watch, get notified of delete node
+ //Zookeeper Watches are one time triggers; When children of parent nodes
are deleted recursively.
+ //Must set another watch, get notified of delete node
if (zkw.getRecoverableZooKeeper().exists(node, zkw) != null){
zkw.getRecoverableZooKeeper().delete(node, -1);
}
@@ -1838,7 +1852,7 @@ public class ZKUtil {
try {
data = ZKUtil.getData(zkw, znode);
} catch(KeeperException e) {
- if (e instanceof KeeperException.SessionExpiredException
+ if (e instanceof KeeperException.SessionExpiredException
|| e instanceof KeeperException.AuthFailedException) {
// non-recoverable errors so stop here
throw new InterruptedException("interrupted due to " + e);
http://git-wip-us.apache.org/repos/asf/hbase/blob/efc49a74/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
----------------------------------------------------------------------
diff --git
a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
index a20f1f6..02ba70e 100644
---
a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
+++
b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
@@ -111,7 +111,6 @@ public class ZooKeeperWatcher implements Watcher,
Abortable, Closeable {
// znode containing namespace descriptors
public static String namespaceZNode = "namespace";
-
// Certain ZooKeeper nodes need to be world-readable
public static final ArrayList<ACL> CREATOR_ALL_AND_WORLD_READABLE =
new ArrayList<ACL>() { {
