HBASE-20869 Endpoint-based Export use incorrect user to write to destination
Signed-off-by: Chia-Ping Tsai <[email protected]> Signed-off-by: tedyu <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/1ed58e41 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/1ed58e41 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/1ed58e41 Branch: refs/heads/HBASE-20749 Commit: 1ed58e41cce526e93d8da66c9571f71d11d94e8f Parents: 724e323 Author: Wei-Chiu Chuang <[email protected]> Authored: Thu Jul 19 20:17:06 2018 +0800 Committer: Chia-Ping Tsai <[email protected]> Committed: Thu Jul 19 20:29:55 2018 +0800 ---------------------------------------------------------------------- .../org/apache/hadoop/hbase/coprocessor/Export.java | 13 ++++++++++--- .../hadoop/hbase/coprocessor/TestSecureExport.java | 16 ++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/1ed58e41/hbase-endpoint/src/main/java/org/apache/hadoop/hbase/coprocessor/Export.java ---------------------------------------------------------------------- diff --git a/hbase-endpoint/src/main/java/org/apache/hadoop/hbase/coprocessor/Export.java b/hbase-endpoint/src/main/java/org/apache/hadoop/hbase/coprocessor/Export.java index 6d6c1a6..b21d5c3 100644 --- a/hbase-endpoint/src/main/java/org/apache/hadoop/hbase/coprocessor/Export.java +++ b/hbase-endpoint/src/main/java/org/apache/hadoop/hbase/coprocessor/Export.java @@ -451,9 +451,16 @@ public class Export extends ExportProtos.ExportService implements RegionCoproces SecureWriter(final Configuration conf, final UserProvider userProvider, final Token userToken, final List<SequenceFile.Writer.Option> opts) throws IOException { - privilegedWriter = new PrivilegedWriter(getActiveUser(userProvider, userToken), - SequenceFile.createWriter(conf, - opts.toArray(new SequenceFile.Writer.Option[opts.size()]))); + User user = getActiveUser(userProvider, userToken); + try { + SequenceFile.Writer sequenceFileWriter = + user.runAs((PrivilegedExceptionAction<SequenceFile.Writer>) () -> + SequenceFile.createWriter(conf, + opts.toArray(new SequenceFile.Writer.Option[opts.size()]))); + privilegedWriter = new PrivilegedWriter(user, sequenceFileWriter); + } catch (InterruptedException e) { + throw new IOException(e); + } } void append(final Object key, final Object value) throws IOException { http://git-wip-us.apache.org/repos/asf/hbase/blob/1ed58e41/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java ---------------------------------------------------------------------- diff --git a/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java b/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java index 21f17f7..b2ca1d4 100644 --- a/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java +++ b/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java @@ -29,6 +29,7 @@ import java.util.List; import java.util.Map; import java.util.Properties; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileStatus; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.permission.FsAction; @@ -336,6 +337,21 @@ public class TestSecureExport { LOG.error(ex.toString(), ex); throw new Exception(ex); } finally { + if (fs.exists(new Path(openDir, "output"))) { + // if export completes successfully, every file under the output directory should be + // owned by the current user, not the hbase service user. + FileStatus outputDirFileStatus = fs.getFileStatus(new Path(openDir, "output")); + String currentUserName = User.getCurrent().getShortName(); + assertEquals("Unexpected file owner", currentUserName, outputDirFileStatus.getOwner()); + + FileStatus[] outputFileStatus = fs.listStatus(new Path(openDir, "output")); + for (FileStatus fileStatus: outputFileStatus) { + assertEquals("Unexpected file owner", currentUserName, fileStatus.getOwner()); + } + } else { + LOG.info("output directory doesn't exist. Skip check"); + } + clearOutput(output); } };
