HBASE-18323 Remove multiple ACLs for the same user in kerberos Signed-off-by: Josh Elser <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/ca0db5b8 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/ca0db5b8 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/ca0db5b8 Branch: refs/heads/branch-1.4 Commit: ca0db5b8c4a72cc6ad9218a7fbc35782ff2d4ec0 Parents: 5cbdab6 Author: å¼ ä¸å½¬10204932 <[email protected]> Authored: Sat Jul 22 12:28:43 2017 +0800 Committer: Andrew Purtell <[email protected]> Committed: Wed Jul 26 10:29:10 2017 -0700 ---------------------------------------------------------------------- .../org/apache/hadoop/hbase/zookeeper/ZKUtil.java | 11 ++++++++++- .../apache/hadoop/hbase/zookeeper/TestZKUtil.java | 16 ++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/ca0db5b8/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java ---------------------------------------------------------------------- diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java index 4f4b2eb..d874768 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java @@ -58,6 +58,7 @@ import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.CreateAndFailSilent; import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.DeleteNodeFailSilent; import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.SetData; import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.util.KerberosUtil; import org.apache.zookeeper.AsyncCallback; import org.apache.zookeeper.CreateMode; @@ -913,6 +914,12 @@ public class ZKUtil { ArrayList<ACL> acls = new ArrayList<ACL>(); // add permission to hbase supper user String[] superUsers = zkw.getConfiguration().getStrings(Superusers.SUPERUSER_CONF_KEY); + String hbaseUser = null; + try { + hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName(); + } catch (IOException e) { + LOG.debug("Could not acquire current User.", e); + } if (superUsers != null) { List<String> groups = new ArrayList<String>(); for (String user : superUsers) { @@ -920,7 +927,9 @@ public class ZKUtil { // TODO: Set node ACL for groups when ZK supports this feature groups.add(user); } else { - acls.add(new ACL(Perms.ALL, new Id("sasl", user))); + if(!user.equals(hbaseUser)) { + acls.add(new ACL(Perms.ALL, new Id("sasl", user))); + } } } if (!groups.isEmpty()) { http://git-wip-us.apache.org/repos/asf/hbase/blob/ca0db5b8/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java ---------------------------------------------------------------------- diff --git a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java index 1099e5e..02d002a 100644 --- a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java +++ b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java @@ -27,6 +27,7 @@ import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.ZooKeeperConnectionException; import org.apache.hadoop.hbase.security.Superusers; import org.apache.hadoop.hbase.testclassification.SmallTests; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.zookeeper.ZooDefs.Ids; import org.apache.zookeeper.ZooDefs.Perms; import org.apache.zookeeper.data.ACL; @@ -78,4 +79,19 @@ public class TestZKUtil { Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user2")))); Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user3")))); } + + @Test + public void testCreateACLWithSameUser() throws ZooKeeperConnectionException, IOException { + Configuration conf = HBaseConfiguration.create(); + conf.set(Superusers.SUPERUSER_CONF_KEY, "user4,@group1,user5,user6"); + UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("user4")); + String node = "/hbase/testCreateACL"; + ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false); + List<ACL> aclList = ZKUtil.createACL(watcher, node, true); + Assert.assertEquals(aclList.size(), 3); // 3, since service user the same as one of superuser + Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1")))); + Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", "")))); + Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user5")))); + Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user6")))); + } }
