This is an automated email from the ASF dual-hosted git repository.
apurtell pushed a commit to branch branch-1
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-1 by this push:
new 0db4041 HBASE-17884 Backport HBASE-16217 to branch-1
0db4041 is described below
commit 0db4041c553ebb7afb5b84d1e828ff24beec7f06
Author: Gary Helmling <[email protected]>
AuthorDate: Tue Apr 16 09:52:00 2019 -0700
HBASE-17884 Backport HBASE-16217 to branch-1
HBASE-16217 Pass through the calling user in ObserverContext
Signed-off-by: Andrew Purtell <[email protected]>
---
.../apache/hadoop/hbase/protobuf/ProtobufUtil.java | 2 +-
.../hadoop/hbase/coprocessor/ObserverContext.java | 43 ++-
.../hadoop/hbase/master/MasterCoprocessorHost.java | 95 +++---
.../hbase/master/handler/CreateTableHandler.java | 11 +-
.../hbase/master/handler/DisableTableHandler.java | 5 +-
.../hbase/master/handler/EnableTableHandler.java | 5 +-
.../master/procedure/AddColumnFamilyProcedure.java | 35 +--
.../master/procedure/CreateTableProcedure.java | 25 +-
.../procedure/DeleteColumnFamilyProcedure.java | 35 +--
.../master/procedure/DeleteTableProcedure.java | 25 +-
.../master/procedure/DisableTableProcedure.java | 35 +--
.../master/procedure/EnableTableProcedure.java | 36 +--
.../master/procedure/MasterProcedureUtil.java | 17 +-
.../procedure/ModifyColumnFamilyProcedure.java | 35 +--
.../master/procedure/ModifyTableProcedure.java | 36 +--
.../master/procedure/TruncateTableProcedure.java | 26 +-
.../apache/hadoop/hbase/regionserver/HStore.java | 63 +---
.../hbase/regionserver/RegionCoprocessorHost.java | 73 +++--
.../regionserver/RegionMergeTransactionImpl.java | 110 +------
.../regionserver/RegionServerCoprocessorHost.java | 35 ++-
.../hbase/regionserver/SplitTransactionImpl.java | 113 +------
.../hbase/regionserver/compactions/Compactor.java | 38 +--
.../hbase/security/access/AccessController.java | 344 ++++++++++++---------
.../security/access/SecureBulkLoadEndpoint.java | 34 +-
24 files changed, 515 insertions(+), 761 deletions(-)
diff --git
a/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java
b/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java
index 4b511f7..36e495d 100644
---
a/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java
+++
b/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java
@@ -2125,7 +2125,7 @@ public final class ProtobufUtil {
region_a.getRegionName(), region_b.getRegionName(),forcible);
if (user != null) {
try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
+ user.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try {
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/ObserverContext.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/ObserverContext.java
index 78279ad..fc033f1 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/ObserverContext.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/ObserverContext.java
@@ -23,6 +23,8 @@ import
org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.classification.InterfaceStability;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
+import org.apache.hadoop.hbase.ipc.RpcServer;
+import org.apache.hadoop.hbase.security.User;
/**
* Carries the execution state for a given invocation of an Observer
coprocessor
@@ -40,8 +42,10 @@ public class ObserverContext<E extends
CoprocessorEnvironment> {
private E env;
private boolean bypass;
private boolean complete;
+ private User caller;
- public ObserverContext() {
+ public ObserverContext(User caller) {
+ this.caller = caller;
}
public E getEnvironment() {
@@ -92,6 +96,16 @@ public class ObserverContext<E extends
CoprocessorEnvironment> {
}
/**
+ * Returns the active user for the coprocessor call.
+ * If an explicit {@code User} instance was provided to the constructor,
that will be returned,
+ * otherwise if we are in the context of an RPC call, the remote user is
used. May return null
+ * if the execution is outside of an RPC context.
+ */
+ public User getCaller() {
+ return caller;
+ }
+
+ /**
* Instantiates a new ObserverContext instance if the passed reference is
* <code>null</code> and sets the environment in the new or existing
instance.
* This allows deferring the instantiation of a ObserverContext until it is
@@ -102,11 +116,36 @@ public class ObserverContext<E extends
CoprocessorEnvironment> {
* to create a new instance
* @param <T> The environment type for the context
* @return An instance of <code>ObserverContext</code> with the environment
set
+ * @deprecated
*/
+ @Deprecated
+ // TODO: Remove this method, ObserverContext should not depend on RpcServer
public static <T extends CoprocessorEnvironment> ObserverContext<T>
createAndPrepare(
T env, ObserverContext<T> context) {
if (context == null) {
- context = new ObserverContext<T>();
+ context = new ObserverContext<T>(RpcServer.getRequestUser());
+ }
+ context.prepare(env);
+ return context;
+ }
+
+ /**
+ * Instantiates a new ObserverContext instance if the passed reference is
+ * <code>null</code> and sets the environment in the new or existing
instance.
+ * This allows deferring the instantiation of a ObserverContext until it is
+ * actually needed.
+ *
+ * @param env The coprocessor environment to set
+ * @param context An existing ObserverContext instance to use, or
<code>null</code>
+ * to create a new instance
+ * @param user The requesting caller for the execution context
+ * @param <T> The environment type for the context
+ * @return An instance of <code>ObserverContext</code> with the environment
set
+ */
+ public static <T extends CoprocessorEnvironment> ObserverContext<T>
createAndPrepare(
+ T env, ObserverContext<T> context, User user) {
+ if (context == null) {
+ context = new ObserverContext<T>(user);
}
context.prepare(env);
return context;
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java
index 6965eae..a7bf5c1 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java
@@ -44,12 +44,14 @@ import
org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.MasterObserver;
import org.apache.hadoop.hbase.coprocessor.MetricsCoprocessor;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
+import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.master.procedure.MasterProcedureEnv;
import org.apache.hadoop.hbase.metrics.MetricRegistry;
import org.apache.hadoop.hbase.net.Address;
import org.apache.hadoop.hbase.procedure2.ProcedureExecutor;
import
org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.SnapshotDescription;
import org.apache.hadoop.hbase.protobuf.generated.QuotaProtos.Quotas;
+import org.apache.hadoop.hbase.security.User;
/**
* Provides the coprocessor framework and environment for master oriented
@@ -257,9 +259,9 @@ public class MasterCoprocessorHost
});
}
- public void preCreateTableHandler(final HTableDescriptor htd, final
HRegionInfo[] regions)
- throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void preCreateTableHandler(final HTableDescriptor htd, final
HRegionInfo[] regions,
+ final User user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -268,9 +270,9 @@ public class MasterCoprocessorHost
});
}
- public void postCreateTableHandler(final HTableDescriptor htd, final
HRegionInfo[] regions)
- throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void postCreateTableHandler(final HTableDescriptor htd, final
HRegionInfo[] regions,
+ final User user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -299,8 +301,8 @@ public class MasterCoprocessorHost
});
}
- public void preDeleteTableHandler(final TableName tableName) throws
IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void preDeleteTableHandler(final TableName tableName, final User
user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -309,8 +311,9 @@ public class MasterCoprocessorHost
});
}
- public void postDeleteTableHandler(final TableName tableName) throws
IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void postDeleteTableHandler(final TableName tableName, final User
user)
+ throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -339,8 +342,9 @@ public class MasterCoprocessorHost
});
}
- public void preTruncateTableHandler(final TableName tableName) throws
IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void preTruncateTableHandler(final TableName tableName, final User
user)
+ throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -349,8 +353,9 @@ public class MasterCoprocessorHost
});
}
- public void postTruncateTableHandler(final TableName tableName) throws
IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void postTruncateTableHandler(final TableName tableName, final User
user)
+ throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -381,9 +386,10 @@ public class MasterCoprocessorHost
});
}
- public void preModifyTableHandler(final TableName tableName, final
HTableDescriptor htd)
+ public void preModifyTableHandler(final TableName tableName, final
HTableDescriptor htd,
+ final User user)
throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -392,9 +398,10 @@ public class MasterCoprocessorHost
});
}
- public void postModifyTableHandler(final TableName tableName, final
HTableDescriptor htd)
+ public void postModifyTableHandler(final TableName tableName, final
HTableDescriptor htd,
+ final User user)
throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -425,9 +432,10 @@ public class MasterCoprocessorHost
});
}
- public boolean preAddColumnHandler(final TableName tableName, final
HColumnDescriptor column)
+ public boolean preAddColumnHandler(final TableName tableName, final
HColumnDescriptor column,
+ final User user)
throws IOException {
- return execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation() {
+ return execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -436,9 +444,10 @@ public class MasterCoprocessorHost
});
}
- public void postAddColumnHandler(final TableName tableName, final
HColumnDescriptor column)
+ public void postAddColumnHandler(final TableName tableName, final
HColumnDescriptor column,
+ final User user)
throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -470,8 +479,8 @@ public class MasterCoprocessorHost
}
public boolean preModifyColumnHandler(final TableName tableName,
- final HColumnDescriptor descriptor) throws IOException {
- return execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation() {
+ final HColumnDescriptor descriptor, final User user) throws IOException {
+ return execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -481,8 +490,8 @@ public class MasterCoprocessorHost
}
public void postModifyColumnHandler(final TableName tableName,
- final HColumnDescriptor descriptor) throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ final HColumnDescriptor descriptor, final User user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -511,9 +520,10 @@ public class MasterCoprocessorHost
});
}
- public boolean preDeleteColumnHandler(final TableName tableName, final
byte[] c)
+ public boolean preDeleteColumnHandler(final TableName tableName, final
byte[] c,
+ final User user)
throws IOException {
- return execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation() {
+ return execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -522,9 +532,10 @@ public class MasterCoprocessorHost
});
}
- public void postDeleteColumnHandler(final TableName tableName, final byte[]
c)
+ public void postDeleteColumnHandler(final TableName tableName, final byte[]
c,
+ final User user)
throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -553,8 +564,8 @@ public class MasterCoprocessorHost
});
}
- public void preEnableTableHandler(final TableName tableName) throws
IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void preEnableTableHandler(final TableName tableName, final User
user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -563,8 +574,9 @@ public class MasterCoprocessorHost
});
}
- public void postEnableTableHandler(final TableName tableName) throws
IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void postEnableTableHandler(final TableName tableName, final User
user)
+ throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -593,8 +605,9 @@ public class MasterCoprocessorHost
});
}
- public void preDisableTableHandler(final TableName tableName) throws
IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void preDisableTableHandler(final TableName tableName, final User
user)
+ throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -603,8 +616,9 @@ public class MasterCoprocessorHost
});
}
- public void postDisableTableHandler(final TableName tableName) throws
IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void postDisableTableHandler(final TableName tableName, final User
user)
+ throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(MasterObserver oserver,
ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
@@ -1404,6 +1418,11 @@ public class MasterCoprocessorHost
private static abstract class CoprocessorOperation
extends ObserverContext<MasterCoprocessorEnvironment> {
public CoprocessorOperation() {
+ this(RpcServer.getRequestUser());
+ }
+
+ public CoprocessorOperation(User user) {
+ super(user);
}
public abstract void call(MasterObserver oserver,
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java
index a639407..79e2493 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java
@@ -20,7 +20,6 @@ package org.apache.hadoop.hbase.master.handler;
import java.io.IOException;
import java.io.InterruptedIOException;
-import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.List;
@@ -200,18 +199,12 @@ public class CreateTableHandler extends EventHandler {
try {
final MasterCoprocessorHost cpHost = master.getMasterCoprocessorHost();
if (cpHost != null) {
- cpHost.preCreateTableHandler(this.hTableDescriptor, this.newRegions);
+ cpHost.preCreateTableHandler(this.hTableDescriptor, this.newRegions,
activeUser);
}
handleCreateTable(tableName);
completed(null);
if (cpHost != null) {
- this.activeUser.runAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- cpHost.postCreateTableHandler(hTableDescriptor, newRegions);
- return null;
- }
- });
+ cpHost.postCreateTableHandler(hTableDescriptor, newRegions,
activeUser);
}
} catch (Throwable e) {
LOG.error("Error trying to create the table " + tableName, e);
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/DisableTableHandler.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/DisableTableHandler.java
index d889671..76f603f 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/DisableTableHandler.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/DisableTableHandler.java
@@ -129,12 +129,13 @@ public class DisableTableHandler extends EventHandler {
LOG.info("Attempting to disable table " + this.tableName);
MasterCoprocessorHost cpHost = ((HMaster) this.server)
.getMasterCoprocessorHost();
+ // this executes in assignment manager to recover disabling table, not
overriding user
if (cpHost != null) {
- cpHost.preDisableTableHandler(this.tableName);
+ cpHost.preDisableTableHandler(this.tableName, null);
}
handleDisableTable();
if (cpHost != null) {
- cpHost.postDisableTableHandler(this.tableName);
+ cpHost.postDisableTableHandler(this.tableName, null);
}
} catch (IOException e) {
LOG.error("Error trying to disable table " + this.tableName, e);
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/EnableTableHandler.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/EnableTableHandler.java
index 243ec2d..2e6a10a 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/EnableTableHandler.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/EnableTableHandler.java
@@ -150,12 +150,13 @@ public class EnableTableHandler extends EventHandler {
LOG.info("Attempting to enable the table " + this.tableName);
MasterCoprocessorHost cpHost = ((HMaster) this.server)
.getMasterCoprocessorHost();
+ // this executes within assignment manager, so not overriding user
if (cpHost != null) {
- cpHost.preEnableTableHandler(this.tableName);
+ cpHost.preEnableTableHandler(this.tableName, null);
}
handleEnableTable();
if (cpHost != null) {
- cpHost.postEnableTableHandler(this.tableName);
+ cpHost.postEnableTableHandler(this.tableName, null);
}
} catch (IOException e) {
LOG.error("Error trying to enable the table " + this.tableName, e);
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/AddColumnFamilyProcedure.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/AddColumnFamilyProcedure.java
index a7e34d8..a3dc1a4 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/AddColumnFamilyProcedure.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/AddColumnFamilyProcedure.java
@@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.security.PrivilegedExceptionAction;
import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
@@ -39,7 +38,7 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos;
import
org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.AddColumnFamilyState;
import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos;
-import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.hbase.security.User;
/**
* The procedure to add a column family to an existing table.
@@ -55,7 +54,7 @@ public class AddColumnFamilyProcedure
private TableName tableName;
private HTableDescriptor unmodifiedHTableDescriptor;
private HColumnDescriptor cfDescriptor;
- private UserGroupInformation user;
+ private User user;
private List<HRegionInfo> regionInfoList;
private Boolean traceEnabled;
@@ -70,8 +69,8 @@ public class AddColumnFamilyProcedure
final HColumnDescriptor cfDescriptor) {
this.tableName = tableName;
this.cfDescriptor = cfDescriptor;
- this.user = env.getRequestUser().getUGI();
- this.setOwner(this.user.getShortUserName());
+ this.user = env.getRequestUser();
+ this.setOwner(this.user.getShortName());
this.unmodifiedHTableDescriptor = null;
this.regionInfoList = null;
this.traceEnabled = null;
@@ -375,22 +374,16 @@ public class AddColumnFamilyProcedure
throws IOException, InterruptedException {
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- switch (state) {
- case ADD_COLUMN_FAMILY_PRE_OPERATION:
- cpHost.preAddColumnHandler(tableName, cfDescriptor);
- break;
- case ADD_COLUMN_FAMILY_POST_OPERATION:
- cpHost.postAddColumnHandler(tableName, cfDescriptor);
- break;
- default:
- throw new UnsupportedOperationException(this + " unhandled state="
+ state);
- }
- return null;
- }
- });
+ switch (state) {
+ case ADD_COLUMN_FAMILY_PRE_OPERATION:
+ cpHost.preAddColumnHandler(tableName, cfDescriptor, user);
+ break;
+ case ADD_COLUMN_FAMILY_POST_OPERATION:
+ cpHost.postAddColumnHandler(tableName, cfDescriptor, user);
+ break;
+ default:
+ throw new UnsupportedOperationException(this + " unhandled state=" +
state);
+ }
}
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/CreateTableProcedure.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/CreateTableProcedure.java
index f3218ee..152af45 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/CreateTableProcedure.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/CreateTableProcedure.java
@@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
@@ -48,11 +47,11 @@ import
org.apache.hadoop.hbase.protobuf.generated.HBaseProtos;
import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos;
import
org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.CreateTableState;
import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos;
+import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.FSTableDescriptors;
import org.apache.hadoop.hbase.util.FSUtils;
import org.apache.hadoop.hbase.util.ModifyRegionUtils;
import org.apache.hadoop.hbase.util.ServerRegionReplicaUtil;
-import org.apache.hadoop.security.UserGroupInformation;
import com.google.common.collect.Lists;
@@ -69,7 +68,7 @@ public class CreateTableProcedure
private HTableDescriptor hTableDescriptor;
private List<HRegionInfo> newRegions;
- private UserGroupInformation user;
+ private User user;
public CreateTableProcedure() {
// Required by the Procedure framework to create the procedure on replay
@@ -86,8 +85,8 @@ public class CreateTableProcedure
final ProcedurePrepareLatch syncLatch) {
this.hTableDescriptor = hTableDescriptor;
this.newRegions = newRegions != null ? Lists.newArrayList(newRegions) :
null;
- this.user = env.getRequestUser().getUGI();
- this.setOwner(this.user.getShortUserName());
+ this.user = env.getRequestUser();
+ this.setOwner(this.user.getShortName());
// used for compatibility with clients without procedures
// they need a sync TableExistsException
@@ -330,13 +329,7 @@ public class CreateTableProcedure
if (cpHost != null) {
final HRegionInfo[] regions = newRegions == null ? null :
newRegions.toArray(new HRegionInfo[newRegions.size()]);
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- cpHost.preCreateTableHandler(hTableDescriptor, regions);
- return null;
- }
- });
+ cpHost.preCreateTableHandler(hTableDescriptor, regions, user);
}
}
@@ -346,13 +339,7 @@ public class CreateTableProcedure
if (cpHost != null) {
final HRegionInfo[] regions = (newRegions == null) ? null :
newRegions.toArray(new HRegionInfo[newRegions.size()]);
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- cpHost.postCreateTableHandler(hTableDescriptor, regions);
- return null;
- }
- });
+ cpHost.postCreateTableHandler(hTableDescriptor, regions, user);
}
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteColumnFamilyProcedure.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteColumnFamilyProcedure.java
index bb8a201..5b1a69c 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteColumnFamilyProcedure.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteColumnFamilyProcedure.java
@@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.security.PrivilegedExceptionAction;
import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
@@ -38,9 +37,9 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos;
import
org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.DeleteColumnFamilyState;
import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos;
+import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.ByteStringer;
import org.apache.hadoop.hbase.util.Bytes;
-import org.apache.hadoop.security.UserGroupInformation;
/**
* The procedure to delete a column family from an existing table.
@@ -56,7 +55,7 @@ public class DeleteColumnFamilyProcedure
private HTableDescriptor unmodifiedHTableDescriptor;
private TableName tableName;
private byte [] familyName;
- private UserGroupInformation user;
+ private User user;
private List<HRegionInfo> regionInfoList;
private Boolean traceEnabled;
@@ -71,8 +70,8 @@ public class DeleteColumnFamilyProcedure
final byte[] familyName) {
this.tableName = tableName;
this.familyName = familyName;
- this.user = env.getRequestUser().getUGI();
- this.setOwner(this.user.getShortUserName());
+ this.user = env.getRequestUser();
+ this.setOwner(this.user.getShortName());
this.unmodifiedHTableDescriptor = null;
this.regionInfoList = null;
this.traceEnabled = null;
@@ -396,22 +395,16 @@ public class DeleteColumnFamilyProcedure
final DeleteColumnFamilyState state) throws IOException,
InterruptedException {
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- switch (state) {
- case DELETE_COLUMN_FAMILY_PRE_OPERATION:
- cpHost.preDeleteColumnHandler(tableName, familyName);
- break;
- case DELETE_COLUMN_FAMILY_POST_OPERATION:
- cpHost.postDeleteColumnHandler(tableName, familyName);
- break;
- default:
- throw new UnsupportedOperationException(this + " unhandled state="
+ state);
- }
- return null;
- }
- });
+ switch (state) {
+ case DELETE_COLUMN_FAMILY_PRE_OPERATION:
+ cpHost.preDeleteColumnHandler(tableName, familyName, user);
+ break;
+ case DELETE_COLUMN_FAMILY_POST_OPERATION:
+ cpHost.postDeleteColumnHandler(tableName, familyName, user);
+ break;
+ default:
+ throw new UnsupportedOperationException(this + " unhandled state=" +
state);
+ }
}
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteTableProcedure.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteTableProcedure.java
index 6d27b46..673588d 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteTableProcedure.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteTableProcedure.java
@@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure;
import java.io.InputStream;
import java.io.IOException;
import java.io.OutputStream;
-import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.List;
@@ -53,8 +52,8 @@ import
org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos;
import
org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.DeleteTableState;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.procedure2.StateMachineProcedure;
+import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.FSUtils;
-import org.apache.hadoop.security.UserGroupInformation;
@InterfaceAudience.Private
public class DeleteTableProcedure
@@ -63,7 +62,7 @@ public class DeleteTableProcedure
private static final Log LOG = LogFactory.getLog(DeleteTableProcedure.class);
private List<HRegionInfo> regions;
- private UserGroupInformation user;
+ private User user;
private TableName tableName;
// used for compatibility with old clients
@@ -81,8 +80,8 @@ public class DeleteTableProcedure
public DeleteTableProcedure(final MasterProcedureEnv env, final TableName
tableName,
final ProcedurePrepareLatch syncLatch) {
this.tableName = tableName;
- this.user = env.getRequestUser().getUGI();
- this.setOwner(this.user.getShortUserName());
+ this.user = env.getRequestUser();
+ this.setOwner(this.user.getShortName());
// used for compatibility with clients without procedures
// they need a sync TableNotFoundException, TableNotDisabledException, ...
@@ -263,13 +262,7 @@ public class DeleteTableProcedure
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
final TableName tableName = this.tableName;
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- cpHost.preDeleteTableHandler(tableName);
- return null;
- }
- });
+ cpHost.preDeleteTableHandler(tableName, user);
}
return true;
}
@@ -281,13 +274,7 @@ public class DeleteTableProcedure
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
final TableName tableName = this.tableName;
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- cpHost.postDeleteTableHandler(tableName);
- return null;
- }
- });
+ cpHost.postDeleteTableHandler(tableName, user);
}
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DisableTableProcedure.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DisableTableProcedure.java
index 185c0d0..bec599c 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DisableTableProcedure.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DisableTableProcedure.java
@@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.security.PrivilegedExceptionAction;
import java.util.List;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.atomic.AtomicBoolean;
@@ -47,8 +46,8 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos;
import
org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.DisableTableState;
import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos;
+import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.EnvironmentEdgeManager;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.htrace.Trace;
@InterfaceAudience.Private
@@ -64,7 +63,7 @@ public class DisableTableProcedure
private TableName tableName;
private boolean skipTableStateCheck;
- private UserGroupInformation user;
+ private User user;
private Boolean traceEnabled = null;
@@ -99,8 +98,8 @@ public class DisableTableProcedure
final boolean skipTableStateCheck, final ProcedurePrepareLatch
syncLatch) {
this.tableName = tableName;
this.skipTableStateCheck = skipTableStateCheck;
- this.user = env.getRequestUser().getUGI();
- this.setOwner(this.user.getShortUserName());
+ this.user = env.getRequestUser();
+ this.setOwner(this.user.getShortName());
// Compatible with 1.0: We use latch to make sure that this procedure
implementation is
// compatible with 1.0 asynchronized operations. We need to lock the table
and check
@@ -475,22 +474,16 @@ public class DisableTableProcedure
throws IOException, InterruptedException {
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- switch (state) {
- case DISABLE_TABLE_PRE_OPERATION:
- cpHost.preDisableTableHandler(tableName);
- break;
- case DISABLE_TABLE_POST_OPERATION:
- cpHost.postDisableTableHandler(tableName);
- break;
- default:
- throw new UnsupportedOperationException(this + " unhandled state="
+ state);
- }
- return null;
- }
- });
+ switch (state) {
+ case DISABLE_TABLE_PRE_OPERATION:
+ cpHost.preDisableTableHandler(tableName, user);
+ break;
+ case DISABLE_TABLE_POST_OPERATION:
+ cpHost.postDisableTableHandler(tableName, user);
+ break;
+ default:
+ throw new UnsupportedOperationException(this + " unhandled state=" +
state);
+ }
}
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/EnableTableProcedure.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/EnableTableProcedure.java
index 14f68e2..f4a4538 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/EnableTableProcedure.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/EnableTableProcedure.java
@@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -39,7 +38,6 @@ import org.apache.hadoop.hbase.TableNotFoundException;
import org.apache.hadoop.hbase.TableStateManager;
import org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.exceptions.HBaseException;
-import org.apache.hadoop.hbase.executor.EventType;
import org.apache.hadoop.hbase.master.AssignmentManager;
import org.apache.hadoop.hbase.master.BulkAssigner;
import org.apache.hadoop.hbase.master.GeneralBulkAssigner;
@@ -52,9 +50,9 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos;
import
org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.EnableTableState;
import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos;
+import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.hbase.zookeeper.MetaTableLocator;
-import org.apache.hadoop.security.UserGroupInformation;
@InterfaceAudience.Private
public class EnableTableProcedure
@@ -69,7 +67,7 @@ public class EnableTableProcedure
private TableName tableName;
private boolean skipTableStateCheck;
- private UserGroupInformation user;
+ private User user;
private Boolean traceEnabled = null;
@@ -98,8 +96,8 @@ public class EnableTableProcedure
final boolean skipTableStateCheck, final ProcedurePrepareLatch
syncLatch) {
this.tableName = tableName;
this.skipTableStateCheck = skipTableStateCheck;
- this.user = env.getRequestUser().getUGI();
- this.setOwner(this.user.getShortUserName());
+ this.user = env.getRequestUser();
+ this.setOwner(this.user.getShortName());
// Compatible with 1.0: We use latch to make sure that this procedure
implementation is
// compatible with 1.0 asynchronized operations. We need to lock the table
and check
@@ -558,22 +556,16 @@ public class EnableTableProcedure
throws IOException, InterruptedException {
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- switch (state) {
- case ENABLE_TABLE_PRE_OPERATION:
- cpHost.preEnableTableHandler(getTableName());
- break;
- case ENABLE_TABLE_POST_OPERATION:
- cpHost.postEnableTableHandler(getTableName());
- break;
- default:
- throw new UnsupportedOperationException(this + " unhandled state="
+ state);
- }
- return null;
- }
- });
+ switch (state) {
+ case ENABLE_TABLE_PRE_OPERATION:
+ cpHost.preEnableTableHandler(getTableName(), user);
+ break;
+ case ENABLE_TABLE_POST_OPERATION:
+ cpHost.postEnableTableHandler(getTableName(), user);
+ break;
+ default:
+ throw new UnsupportedOperationException(this + " unhandled state=" +
state);
+ }
}
}
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/MasterProcedureUtil.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/MasterProcedureUtil.java
index 4759e7d..3516c97 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/MasterProcedureUtil.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/MasterProcedureUtil.java
@@ -20,8 +20,6 @@ package org.apache.hadoop.hbase.master.procedure;
import java.io.IOException;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.classification.InterfaceStability;
import org.apache.hadoop.hbase.master.MasterServices;
@@ -35,28 +33,27 @@ import org.apache.hadoop.security.UserGroupInformation;
@InterfaceAudience.Private
@InterfaceStability.Evolving
public final class MasterProcedureUtil {
- private static final Log LOG = LogFactory.getLog(MasterProcedureUtil.class);
private MasterProcedureUtil() {}
- public static UserInformation toProtoUserInfo(UserGroupInformation ugi) {
+ public static UserInformation toProtoUserInfo(User user) {
UserInformation.Builder userInfoPB = UserInformation.newBuilder();
- userInfoPB.setEffectiveUser(ugi.getUserName());
- if (ugi.getRealUser() != null) {
- userInfoPB.setRealUser(ugi.getRealUser().getUserName());
+ userInfoPB.setEffectiveUser(user.getName());
+ if (user.getUGI().getRealUser() != null) {
+ userInfoPB.setRealUser(user.getUGI().getRealUser().getUserName());
}
return userInfoPB.build();
}
- public static UserGroupInformation toUserInfo(UserInformation userInfoProto)
{
+ public static User toUserInfo(UserInformation userInfoProto) {
if (userInfoProto.hasEffectiveUser()) {
String effectiveUser = userInfoProto.getEffectiveUser();
if (userInfoProto.hasRealUser()) {
String realUser = userInfoProto.getRealUser();
UserGroupInformation realUserUgi =
UserGroupInformation.createRemoteUser(realUser);
- return UserGroupInformation.createProxyUser(effectiveUser,
realUserUgi);
+ return User.create(UserGroupInformation.createProxyUser(effectiveUser,
realUserUgi));
}
- return UserGroupInformation.createRemoteUser(effectiveUser);
+ return User.create(UserGroupInformation.createRemoteUser(effectiveUser));
}
return null;
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyColumnFamilyProcedure.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyColumnFamilyProcedure.java
index 5e81dbf..5a6b592 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyColumnFamilyProcedure.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyColumnFamilyProcedure.java
@@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.security.PrivilegedExceptionAction;
import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
@@ -39,7 +38,7 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos;
import
org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.ModifyColumnFamilyState;
import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos;
-import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.hbase.security.User;
/**
* The procedure to modify a column family from an existing table.
@@ -55,7 +54,7 @@ public class ModifyColumnFamilyProcedure
private TableName tableName;
private HTableDescriptor unmodifiedHTableDescriptor;
private HColumnDescriptor cfDescriptor;
- private UserGroupInformation user;
+ private User user;
private Boolean traceEnabled;
@@ -68,8 +67,8 @@ public class ModifyColumnFamilyProcedure
final HColumnDescriptor cfDescriptor) {
this.tableName = tableName;
this.cfDescriptor = cfDescriptor;
- this.user = env.getRequestUser().getUGI();
- this.setOwner(this.user.getShortUserName());
+ this.user = env.getRequestUser();
+ this.setOwner(this.user.getShortName());
this.unmodifiedHTableDescriptor = null;
this.traceEnabled = null;
}
@@ -356,22 +355,16 @@ public class ModifyColumnFamilyProcedure
final ModifyColumnFamilyState state) throws IOException,
InterruptedException {
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- switch (state) {
- case MODIFY_COLUMN_FAMILY_PRE_OPERATION:
- cpHost.preModifyColumnHandler(tableName, cfDescriptor);
- break;
- case MODIFY_COLUMN_FAMILY_POST_OPERATION:
- cpHost.postModifyColumnHandler(tableName, cfDescriptor);
- break;
- default:
- throw new UnsupportedOperationException(this + " unhandled state="
+ state);
- }
- return null;
- }
- });
+ switch (state) {
+ case MODIFY_COLUMN_FAMILY_PRE_OPERATION:
+ cpHost.preModifyColumnHandler(tableName, cfDescriptor, user);
+ break;
+ case MODIFY_COLUMN_FAMILY_POST_OPERATION:
+ cpHost.postModifyColumnHandler(tableName, cfDescriptor, user);
+ break;
+ default:
+ throw new UnsupportedOperationException(this + " unhandled state=" +
state);
+ }
}
}
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyTableProcedure.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyTableProcedure.java
index b04a638..e785684 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyTableProcedure.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyTableProcedure.java
@@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.security.PrivilegedExceptionAction;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
@@ -43,14 +42,13 @@ import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.Table;
-import org.apache.hadoop.hbase.executor.EventType;
import org.apache.hadoop.hbase.master.MasterCoprocessorHost;
import org.apache.hadoop.hbase.procedure2.StateMachineProcedure;
import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos;
import
org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.ModifyTableState;
import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos;
+import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.ServerRegionReplicaUtil;
-import org.apache.hadoop.security.UserGroupInformation;
@InterfaceAudience.Private
public class ModifyTableProcedure
@@ -62,7 +60,7 @@ public class ModifyTableProcedure
private HTableDescriptor unmodifiedHTableDescriptor = null;
private HTableDescriptor modifiedHTableDescriptor;
- private UserGroupInformation user;
+ private User user;
private boolean deleteColumnFamilyInModify;
private List<HRegionInfo> regionInfoList;
@@ -75,8 +73,8 @@ public class ModifyTableProcedure
public ModifyTableProcedure(final MasterProcedureEnv env, final
HTableDescriptor htd) {
initilize();
this.modifiedHTableDescriptor = htd;
- this.user = env.getRequestUser().getUGI();
- this.setOwner(this.user.getShortUserName());
+ this.user = env.getRequestUser();
+ this.setOwner(this.user.getShortName());
}
private void initilize() {
@@ -468,22 +466,16 @@ public class ModifyTableProcedure
throws IOException, InterruptedException {
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- switch (state) {
- case MODIFY_TABLE_PRE_OPERATION:
- cpHost.preModifyTableHandler(getTableName(),
modifiedHTableDescriptor);
- break;
- case MODIFY_TABLE_POST_OPERATION:
- cpHost.postModifyTableHandler(getTableName(),
modifiedHTableDescriptor);
- break;
- default:
- throw new UnsupportedOperationException(this + " unhandled state="
+ state);
- }
- return null;
- }
- });
+ switch (state) {
+ case MODIFY_TABLE_PRE_OPERATION:
+ cpHost.preModifyTableHandler(getTableName(),
modifiedHTableDescriptor, user);
+ break;
+ case MODIFY_TABLE_POST_OPERATION:
+ cpHost.postModifyTableHandler(getTableName(),
modifiedHTableDescriptor, user);
+ break;
+ default:
+ throw new UnsupportedOperationException(this + " unhandled state=" +
state);
+ }
}
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/TruncateTableProcedure.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/TruncateTableProcedure.java
index 4689426..0feb80a 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/TruncateTableProcedure.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/TruncateTableProcedure.java
@@ -22,10 +22,10 @@ import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
+
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.hbase.HRegionInfo;
@@ -41,8 +41,8 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos;
import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos;
import
org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.TruncateTableState;
+import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.ModifyRegionUtils;
-import org.apache.hadoop.security.UserGroupInformation;
@InterfaceAudience.Private
public class TruncateTableProcedure
@@ -52,7 +52,7 @@ public class TruncateTableProcedure
private boolean preserveSplits;
private List<HRegionInfo> regions;
- private UserGroupInformation user;
+ private User user;
private HTableDescriptor hTableDescriptor;
private TableName tableName;
@@ -64,8 +64,8 @@ public class TruncateTableProcedure
boolean preserveSplits) {
this.tableName = tableName;
this.preserveSplits = preserveSplits;
- this.user = env.getRequestUser().getUGI();
- this.setOwner(this.user.getShortUserName());
+ this.user = env.getRequestUser();
+ this.setOwner(this.user.getShortName());
}
@Override
@@ -273,13 +273,7 @@ public class TruncateTableProcedure
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
final TableName tableName = getTableName();
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- cpHost.preTruncateTableHandler(tableName);
- return null;
- }
- });
+ cpHost.preTruncateTableHandler(tableName, user);
}
return true;
}
@@ -289,13 +283,7 @@ public class TruncateTableProcedure
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
final TableName tableName = getTableName();
- user.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- cpHost.postTruncateTableHandler(tableName);
- return null;
- }
- });
+ cpHost.postTruncateTableHandler(tableName, user);
}
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HStore.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HStore.java
index 7fbfb49..6f8c4cd 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HStore.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HStore.java
@@ -23,7 +23,6 @@ import java.io.InterruptedIOException;
import java.net.InetSocketAddress;
import java.security.Key;
import java.security.KeyException;
-import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -1417,23 +1416,7 @@ public class HStore implements Store {
final StoreFile sf = moveFileIntoPlace(newFile);
if (this.getCoprocessorHost() != null) {
final Store thisStore = this;
- if (user == null) {
- getCoprocessorHost().postCompact(thisStore, sf, cr);
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- getCoprocessorHost().postCompact(thisStore, sf, cr);
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ getCoprocessorHost().postCompact(thisStore, sf, cr, user);
}
assert sf != null;
sfs.add(sf);
@@ -1639,7 +1622,7 @@ public class HStore implements Store {
// Move the compaction into place.
StoreFile sf = moveFileIntoPlace(newFile);
if (this.getCoprocessorHost() != null) {
- this.getCoprocessorHost().postCompact(this, sf, null);
+ this.getCoprocessorHost().postCompact(this, sf, null, null);
}
replaceStoreFiles(filesToCompact, Lists.newArrayList(sf));
completeCompaction(filesToCompact);
@@ -1710,29 +1693,12 @@ public class HStore implements Store {
this.lock.readLock().lock();
try {
synchronized (filesCompacting) {
- final Store thisStore = this;
// First, see if coprocessor would want to override selection.
if (this.getCoprocessorHost() != null) {
final List<StoreFile> candidatesForCoproc =
compaction.preSelect(this.filesCompacting);
boolean override = false;
- if (user == null) {
- override = getCoprocessorHost().preCompactSelection(this,
candidatesForCoproc,
- baseRequest);
- } else {
- try {
- override = user.getUGI().doAs(new
PrivilegedExceptionAction<Boolean>() {
- @Override
- public Boolean run() throws Exception {
- return getCoprocessorHost().preCompactSelection(thisStore,
candidatesForCoproc,
- baseRequest);
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ override = getCoprocessorHost().preCompactSelection(this,
candidatesForCoproc,
+ baseRequest, user);
if (override) {
// Coprocessor is overriding normal file selection.
compaction.forceSelect(new CompactionRequest(candidatesForCoproc));
@@ -1760,25 +1726,8 @@ public class HStore implements Store {
}
}
if (this.getCoprocessorHost() != null) {
- if (user == null) {
- this.getCoprocessorHost().postCompactSelection(
- this, ImmutableList.copyOf(compaction.getRequest().getFiles()),
baseRequest);
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- getCoprocessorHost().postCompactSelection(
-
thisStore,ImmutableList.copyOf(compaction.getRequest().getFiles()),baseRequest);
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ this.getCoprocessorHost().postCompactSelection(
+ this, ImmutableList.copyOf(compaction.getRequest().getFiles()),
baseRequest, user);
}
// Selected files; see if we have a compaction with some custom base
request.
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java
index 3378636..bc5af20 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java
@@ -71,6 +71,7 @@ import org.apache.hadoop.hbase.io.FSDataInputStreamWrapper;
import org.apache.hadoop.hbase.io.ImmutableBytesWritable;
import org.apache.hadoop.hbase.io.Reference;
import org.apache.hadoop.hbase.io.hfile.CacheConfig;
+import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.metrics.MetricRegistry;
import org.apache.hadoop.hbase.regionserver.DeleteTracker;
import org.apache.hadoop.hbase.regionserver.Region.Operation;
@@ -78,6 +79,7 @@ import
org.apache.hadoop.hbase.regionserver.compactions.CompactionRequest;
import org.apache.hadoop.hbase.regionserver.wal.HLogKey;
import org.apache.hadoop.hbase.wal.WALKey;
import org.apache.hadoop.hbase.regionserver.wal.WALEdit;
+import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.CoprocessorClassLoader;
import org.apache.hadoop.hbase.util.Pair;
@@ -537,9 +539,9 @@ public class RegionCoprocessorHost
*/
public InternalScanner preCompactScannerOpen(final Store store,
final List<StoreFileScanner> scanners, final ScanType scanType, final
long earliestPutTs,
- final CompactionRequest request, final long readPoint) throws
IOException {
+ final CompactionRequest request, final long readPoint, final User user)
throws IOException {
return execOperationWithResult(null,
- coprocessors.isEmpty() ? null : new
RegionOperationWithResult<InternalScanner>() {
+ coprocessors.isEmpty() ? null : new
RegionOperationWithResult<InternalScanner>(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -559,8 +561,8 @@ public class RegionCoprocessorHost
* @throws IOException
*/
public boolean preCompactSelection(final Store store, final List<StoreFile>
candidates,
- final CompactionRequest request) throws IOException {
- return execOperation(coprocessors.isEmpty() ? null : new RegionOperation()
{
+ final CompactionRequest request, final User user) throws IOException {
+ return execOperation(coprocessors.isEmpty() ? null : new
RegionOperation(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -577,9 +579,9 @@ public class RegionCoprocessorHost
* @param request custom compaction
*/
public void postCompactSelection(final Store store, final
ImmutableList<StoreFile> selected,
- final CompactionRequest request) {
+ final CompactionRequest request, final User user) {
try {
- execOperation(coprocessors.isEmpty() ? null : new RegionOperation() {
+ execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -600,9 +602,10 @@ public class RegionCoprocessorHost
* @throws IOException
*/
public InternalScanner preCompact(final Store store, final InternalScanner
scanner,
- final ScanType scanType, final CompactionRequest request) throws
IOException {
+ final ScanType scanType, final CompactionRequest request, final User
user)
+ throws IOException {
return execOperationWithResult(false, scanner,
- coprocessors.isEmpty() ? null : new
RegionOperationWithResult<InternalScanner>() {
+ coprocessors.isEmpty() ? null : new
RegionOperationWithResult<InternalScanner>(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -619,8 +622,8 @@ public class RegionCoprocessorHost
* @throws IOException
*/
public void postCompact(final Store store, final StoreFile resultFile,
- final CompactionRequest request) throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new RegionOperation() {
+ final CompactionRequest request, final User user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -709,8 +712,8 @@ public class RegionCoprocessorHost
* @throws IOException
*/
// TODO: Deprecate this
- public void preSplit() throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new RegionOperation() {
+ public void preSplit(final User user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -723,8 +726,8 @@ public class RegionCoprocessorHost
* Invoked just before a split
* @throws IOException
*/
- public void preSplit(final byte[] splitRow) throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new RegionOperation() {
+ public void preSplit(final byte[] splitRow, final User user) throws
IOException {
+ execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -739,8 +742,8 @@ public class RegionCoprocessorHost
* @param r the new right-hand daughter region
* @throws IOException
*/
- public void postSplit(final Region l, final Region r) throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new RegionOperation() {
+ public void postSplit(final Region l, final Region r, final User user)
throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -750,8 +753,8 @@ public class RegionCoprocessorHost
}
public boolean preSplitBeforePONR(final byte[] splitKey,
- final List<Mutation> metaEntries) throws IOException {
- return execOperation(coprocessors.isEmpty() ? null : new RegionOperation()
{
+ final List<Mutation> metaEntries, final User user) throws IOException {
+ return execOperation(coprocessors.isEmpty() ? null : new
RegionOperation(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -760,8 +763,8 @@ public class RegionCoprocessorHost
});
}
- public void preSplitAfterPONR() throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new RegionOperation() {
+ public void preSplitAfterPONR(final User user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -774,8 +777,8 @@ public class RegionCoprocessorHost
* Invoked just before the rollback of a failed split is started
* @throws IOException
*/
- public void preRollBackSplit() throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new RegionOperation() {
+ public void preRollBackSplit(final User user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -788,8 +791,8 @@ public class RegionCoprocessorHost
* Invoked just after the rollback of a failed split is done
* @throws IOException
*/
- public void postRollBackSplit() throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new RegionOperation() {
+ public void postRollBackSplit(final User user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) {
@Override
public void call(RegionObserver oserver,
ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
@@ -1690,6 +1693,14 @@ public class RegionCoprocessorHost
private static abstract class CoprocessorOperation
extends ObserverContext<RegionCoprocessorEnvironment> {
+ public CoprocessorOperation() {
+ this(RpcServer.getRequestUser());
+ }
+
+ public CoprocessorOperation(User user) {
+ super(user);
+ }
+
public abstract void call(Coprocessor observer,
ObserverContext<RegionCoprocessorEnvironment> ctx) throws IOException;
public abstract boolean hasCall(Coprocessor observer);
@@ -1697,6 +1708,13 @@ public class RegionCoprocessorHost
}
private static abstract class RegionOperation extends CoprocessorOperation {
+ public RegionOperation() {
+ }
+
+ public RegionOperation(User user) {
+ super(user);
+ }
+
public abstract void call(RegionObserver observer,
ObserverContext<RegionCoprocessorEnvironment> ctx) throws IOException;
@@ -1713,6 +1731,13 @@ public class RegionCoprocessorHost
}
private static abstract class RegionOperationWithResult<T> extends
RegionOperation {
+ public RegionOperationWithResult() {
+ }
+
+ public RegionOperationWithResult(User user) {
+ super(user);
+ }
+
private T result = null;
public void setResult(final T result) { this.result = result; }
public T getResult() { return this.result; }
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionMergeTransactionImpl.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionMergeTransactionImpl.java
index 03aa059..ff0d7a1 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionMergeTransactionImpl.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionMergeTransactionImpl.java
@@ -19,8 +19,6 @@
package org.apache.hadoop.hbase.regionserver;
import java.io.IOException;
-import java.io.InterruptedIOException;
-import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.List;
import java.util.ListIterator;
@@ -277,23 +275,7 @@ public class RegionMergeTransactionImpl implements
RegionMergeTransaction {
}
final HRegion mergedRegion = createMergedRegion(server, services, user);
if (rsCoprocessorHost != null) {
- if (user == null) {
- rsCoprocessorHost.postMergeCommit(this.region_a, this.region_b,
mergedRegion);
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- rsCoprocessorHost.postMergeCommit(region_a, region_b,
mergedRegion);
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ rsCoprocessorHost.postMergeCommit(this.region_a, this.region_b,
mergedRegion, user);
}
stepsAfterPONR(server, services, mergedRegion, user);
@@ -317,23 +299,7 @@ public class RegionMergeTransactionImpl implements
RegionMergeTransaction {
mergedRegionInfo, region_a, region_b, rmd, mergedRegion);
}
if (rsCoprocessorHost != null) {
- if (user == null) {
- rsCoprocessorHost.postMerge(region_a, region_b, mergedRegion);
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- rsCoprocessorHost.postMerge(region_a, region_b, mergedRegion);
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ rsCoprocessorHost.postMerge(region_a, region_b, mergedRegion, user);
}
}
@@ -355,23 +321,7 @@ public class RegionMergeTransactionImpl implements
RegionMergeTransaction {
}
if (rsCoprocessorHost != null) {
- boolean ret = false;
- if (user == null) {
- ret = rsCoprocessorHost.preMerge(region_a, region_b);
- } else {
- try {
- ret = user.getUGI().doAs(new PrivilegedExceptionAction<Boolean>() {
- @Override
- public Boolean run() throws Exception {
- return rsCoprocessorHost.preMerge(region_a, region_b);
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ boolean ret = rsCoprocessorHost.preMerge(region_a, region_b, user);
if (ret) {
throw new IOException("Coprocessor bypassing regions " + this.region_a
+ " "
+ this.region_b + " merge.");
@@ -387,23 +337,7 @@ public class RegionMergeTransactionImpl implements
RegionMergeTransaction {
@MetaMutationAnnotation
final List<Mutation> metaEntries = new ArrayList<Mutation>();
if (rsCoprocessorHost != null) {
- boolean ret = false;
- if (user == null) {
- ret = rsCoprocessorHost.preMergeCommit(region_a, region_b,
metaEntries);
- } else {
- try {
- ret = user.getUGI().doAs(new PrivilegedExceptionAction<Boolean>() {
- @Override
- public Boolean run() throws Exception {
- return rsCoprocessorHost.preMergeCommit(region_a, region_b,
metaEntries);
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ boolean ret = rsCoprocessorHost.preMergeCommit(region_a, region_b,
metaEntries, user);
if (ret) {
throw new IOException("Coprocessor bypassing regions " + this.region_a
+ " "
@@ -781,23 +715,7 @@ public class RegionMergeTransactionImpl implements
RegionMergeTransaction {
assert this.mergedRegionInfo != null;
// Coprocessor callback
if (rsCoprocessorHost != null) {
- if (user == null) {
- rsCoprocessorHost.preRollBackMerge(region_a, region_b);
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- rsCoprocessorHost.preRollBackMerge(region_a, region_b);
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ rsCoprocessorHost.preRollBackMerge(region_a, region_b, user);
}
boolean result = true;
@@ -885,23 +803,7 @@ public class RegionMergeTransactionImpl implements
RegionMergeTransaction {
}
// Coprocessor callback
if (rsCoprocessorHost != null) {
- if (user == null) {
- rsCoprocessorHost.postRollBackMerge(region_a, region_b);
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- rsCoprocessorHost.postRollBackMerge(region_a, region_b);
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ rsCoprocessorHost.postRollBackMerge(region_a, region_b, user);
}
return result;
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
index 1b64ab8..0959e31 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java
@@ -98,8 +98,9 @@ public class RegionServerCoprocessorHost extends
});
}
- public boolean preMerge(final HRegion regionA, final HRegion regionB) throws
IOException {
- return execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation() {
+ public boolean preMerge(final HRegion regionA, final HRegion regionB, final
User user)
+ throws IOException {
+ return execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(RegionServerObserver oserver,
ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws
IOException {
@@ -108,9 +109,9 @@ public class RegionServerCoprocessorHost extends
});
}
- public void postMerge(final HRegion regionA, final HRegion regionB, final
HRegion mergedRegion)
- throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void postMerge(final HRegion regionA, final HRegion regionB, final
HRegion mergedRegion,
+ final User user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(RegionServerObserver oserver,
ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws
IOException {
@@ -120,8 +121,9 @@ public class RegionServerCoprocessorHost extends
}
public boolean preMergeCommit(final HRegion regionA, final HRegion regionB,
- final @MetaMutationAnnotation List<Mutation> metaEntries) throws
IOException {
- return execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation() {
+ final @MetaMutationAnnotation List<Mutation> metaEntries, final User
user)
+ throws IOException {
+ return execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(RegionServerObserver oserver,
ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws
IOException {
@@ -131,8 +133,8 @@ public class RegionServerCoprocessorHost extends
}
public void postMergeCommit(final HRegion regionA, final HRegion regionB,
- final HRegion mergedRegion) throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ final HRegion mergedRegion, final User user) throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(RegionServerObserver oserver,
ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws
IOException {
@@ -141,8 +143,9 @@ public class RegionServerCoprocessorHost extends
});
}
- public void preRollBackMerge(final HRegion regionA, final HRegion regionB)
throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void preRollBackMerge(final HRegion regionA, final HRegion regionB,
final User user)
+ throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(RegionServerObserver oserver,
ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws
IOException {
@@ -151,8 +154,9 @@ public class RegionServerCoprocessorHost extends
});
}
- public void postRollBackMerge(final HRegion regionA, final HRegion regionB)
throws IOException {
- execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() {
+ public void postRollBackMerge(final HRegion regionA, final HRegion regionB,
final User user)
+ throws IOException {
+ execOperation(coprocessors.isEmpty() ? null : new
CoprocessorOperation(user) {
@Override
public void call(RegionServerObserver oserver,
ObserverContext<RegionServerCoprocessorEnvironment> ctx) throws
IOException {
@@ -227,6 +231,11 @@ public class RegionServerCoprocessorHost extends
private static abstract class CoprocessorOperation
extends ObserverContext<RegionServerCoprocessorEnvironment> {
public CoprocessorOperation() {
+ this(RpcServer.getRequestUser());
+ }
+
+ public CoprocessorOperation(User user) {
+ super(user);
}
public abstract void call(RegionServerObserver oserver,
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/SplitTransactionImpl.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/SplitTransactionImpl.java
index f9a5d31..ebdcd17 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/SplitTransactionImpl.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/SplitTransactionImpl.java
@@ -20,7 +20,6 @@ package org.apache.hadoop.hbase.regionserver;
import java.io.IOException;
import java.io.InterruptedIOException;
-import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.List;
import java.util.ListIterator;
@@ -244,26 +243,9 @@ public class SplitTransactionImpl implements
SplitTransaction {
// Coprocessor callback
if (this.parent.getCoprocessorHost() != null) {
- if (user == null) {
- // TODO: Remove one of these
- parent.getCoprocessorHost().preSplit();
- parent.getCoprocessorHost().preSplit(splitrow);
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- parent.getCoprocessorHost().preSplit();
- parent.getCoprocessorHost().preSplit(splitrow);
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ // TODO: Remove one of these
+ parent.getCoprocessorHost().preSplit(user);
+ parent.getCoprocessorHost().preSplit(splitrow, user);
}
transition(SplitTransactionPhase.AFTER_PRE_SPLIT_HOOK);
@@ -280,22 +262,7 @@ public class SplitTransactionImpl implements
SplitTransaction {
final List<Mutation> metaEntries = new ArrayList<Mutation>();
boolean ret = false;
if (this.parent.getCoprocessorHost() != null) {
- if (user == null) {
- ret = parent.getCoprocessorHost().preSplitBeforePONR(splitrow,
metaEntries);
- } else {
- try {
- ret = user.getUGI().doAs(new PrivilegedExceptionAction<Boolean>() {
- @Override
- public Boolean run() throws Exception {
- return parent.getCoprocessorHost().preSplitBeforePONR(splitrow,
metaEntries);
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ ret = parent.getCoprocessorHost().preSplitBeforePONR(splitrow,
metaEntries, user);
if (ret) {
throw new IOException("Coprocessor bypassing region "
+ this.parent.getRegionInfo().getRegionNameAsString() + " split.");
@@ -560,23 +527,7 @@ public class SplitTransactionImpl implements
SplitTransaction {
}
PairOfSameType<Region> regions = createDaughters(server, services, user);
if (this.parent.getCoprocessorHost() != null) {
- if (user == null) {
- parent.getCoprocessorHost().preSplitAfterPONR();
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- parent.getCoprocessorHost().preSplitAfterPONR();
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ parent.getCoprocessorHost().preSplitAfterPONR(user);
}
regions = stepsAfterPONR(server, services, regions, user);
@@ -606,23 +557,7 @@ public class SplitTransactionImpl implements
SplitTransaction {
// Coprocessor callback
if (parent.getCoprocessorHost() != null) {
- if (user == null) {
- this.parent.getCoprocessorHost().postSplit(regions.getFirst(),
regions.getSecond());
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- parent.getCoprocessorHost().postSplit(regions.getFirst(),
regions.getSecond());
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ this.parent.getCoprocessorHost().postSplit(regions.getFirst(),
regions.getSecond(), user);
}
transition(SplitTransactionPhase.AFTER_POST_SPLIT_HOOK);
@@ -915,23 +850,7 @@ public class SplitTransactionImpl implements
SplitTransaction {
throws IOException {
// Coprocessor callback
if (this.parent.getCoprocessorHost() != null) {
- if (user == null) {
- this.parent.getCoprocessorHost().preRollBackSplit();
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- parent.getCoprocessorHost().preRollBackSplit();
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ this.parent.getCoprocessorHost().preRollBackSplit(user);
}
boolean result = true;
@@ -1013,23 +932,7 @@ public class SplitTransactionImpl implements
SplitTransaction {
}
// Coprocessor callback
if (this.parent.getCoprocessorHost() != null) {
- if (user == null) {
- this.parent.getCoprocessorHost().postRollBackSplit();
- } else {
- try {
- user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- parent.getCoprocessorHost().postRollBackSplit();
- return null;
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ this.parent.getCoprocessorHost().postRollBackSplit(user);
}
return result;
}
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/Compactor.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/Compactor.java
index b7d27de..62701f3 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/Compactor.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/Compactor.java
@@ -19,7 +19,6 @@ package org.apache.hadoop.hbase.regionserver.compactions;
import java.io.IOException;
import java.io.InterruptedIOException;
-import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -364,24 +363,8 @@ public abstract class Compactor<T extends CellSink> {
if (store.getCoprocessorHost() == null) {
return null;
}
- if (user == null) {
- return store.getCoprocessorHost().preCompactScannerOpen(store, scanners,
scanType,
- earliestPutTs, request, readPoint);
- } else {
- try {
- return user.getUGI().doAs(new
PrivilegedExceptionAction<InternalScanner>() {
- @Override
- public InternalScanner run() throws Exception {
- return store.getCoprocessorHost().preCompactScannerOpen(store,
scanners,
- scanType, earliestPutTs, request, readPoint);
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ return store.getCoprocessorHost().preCompactScannerOpen(store, scanners,
scanType,
+ earliestPutTs, request, readPoint, user);
}
/**
@@ -396,22 +379,7 @@ public abstract class Compactor<T extends CellSink> {
if (store.getCoprocessorHost() == null) {
return scanner;
}
- if (user == null) {
- return store.getCoprocessorHost().preCompact(store, scanner, scanType,
request);
- } else {
- try {
- return user.getUGI().doAs(new
PrivilegedExceptionAction<InternalScanner>() {
- @Override
- public InternalScanner run() throws Exception {
- return store.getCoprocessorHost().preCompact(store, scanner,
scanType, request);
- }
- });
- } catch (InterruptedException ie) {
- InterruptedIOException iioe = new InterruptedIOException();
- iioe.initCause(ie);
- throw iioe;
- }
- }
+ return store.getCoprocessorHost().preCompact(store, scanner, scanType,
request, user);
}
/**
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 87b7947..4e9246c 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -19,7 +19,6 @@
package org.apache.hadoop.hbase.security.access;
import java.io.IOException;
-import java.net.InetAddress;
import java.security.PrivilegedExceptionAction;
import java.util.Collection;
import java.util.HashMap;
@@ -37,7 +36,6 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.CellScanner;
import org.apache.hadoop.hbase.CellUtil;
-import org.apache.hadoop.hbase.ClusterStatus;
import org.apache.hadoop.hbase.CompoundConfiguration;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.DoNotRetryIOException;
@@ -402,8 +400,8 @@ public class AccessController extends
BaseMasterAndRegionObserver
* If we are in the context of an RPC call, the remote user is used,
* otherwise the currently logged in user is used.
*/
- private User getActiveUser() throws IOException {
- User user = RpcServer.getRequestUser();
+ private User getActiveUser(ObserverContext ctx) throws IOException {
+ User user = ctx.getCaller();
if (user == null) {
// for non-rpc handling, fallback to system user
user = userProvider.getCurrent();
@@ -414,101 +412,118 @@ public class AccessController extends
BaseMasterAndRegionObserver
/**
* Authorizes that the current user has any of the given permissions for the
* given table, column family and column qualifier.
+ * @param user the user
+ * @param request the request
* @param tableName Table requested
* @param family Column family requested
* @param qualifier Column qualifier requested
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if user has no authorization
*/
- public void requirePermission(String request, TableName tableName, byte[]
family,
+ public void requirePermission(User user, String request, TableName
tableName, byte[] family,
byte[] qualifier, Action... permissions) throws IOException {
- accessChecker.requirePermission(getActiveUser(), request,
+ accessChecker.requirePermission(user, request,
tableName, family, qualifier, permissions);
}
/**
* Authorizes that the current user has any of the given permissions for the
* given table, column family and column qualifier.
+ * @param user The active user
+ * @param request The request
* @param tableName Table requested
* @param family Column family param
* @param qualifier Column qualifier param
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if user has no authorization
*/
- public void requireTablePermission(String request, TableName tableName,
byte[] family,
+ public void requireTablePermission(User user, String request, TableName
tableName, byte[] family,
byte[] qualifier, Action... permissions) throws IOException {
- accessChecker.requireTablePermission(getActiveUser(), request,
+ accessChecker.requireTablePermission(user, request,
tableName, family, qualifier, permissions);
}
/**
* Authorizes that the current user has any of the given permissions to
access the table.
- *
+ * @param user The active user
+ * @param request The request
* @param tableName Table requested
* @param permissions Actions being requested
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if user has no authorization
*/
- public void requireAccess(String request, TableName tableName,
+ public void requireAccess(User user, String request, TableName tableName,
Action... permissions) throws IOException {
- accessChecker.requireAccess(getActiveUser(), request, tableName,
permissions);
+ accessChecker.requireAccess(user, request, tableName, permissions);
}
/**
* Authorizes that the current user has global privileges for the given
action.
+ * @param user The active user
+ * @param request The request
* @param perm The action being requested
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if authorization is denied
*/
- public void requirePermission(String request, Action perm) throws
IOException {
- accessChecker.requirePermission(getActiveUser(), request, perm);
+ public void requirePermission(User user, String request, Action perm) throws
IOException {
+ accessChecker.requirePermission(user, request, perm);
}
/**
* Checks that the user has the given global permission. The generated
* audit log message will contain context information for the operation
* being authorized, based on the given parameters.
+ * @param user The active user
+ * @param request The request
* @param perm Action being requested
* @param tableName Affected table name.
* @param familyMap Affected column families.
*/
- public void requireGlobalPermission(String request, Action perm, TableName
tableName,
+ public void requireGlobalPermission(User user, String request, Action perm,
TableName tableName,
Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {
- accessChecker.requireGlobalPermission(getActiveUser(), request, perm,
tableName, familyMap);
+ accessChecker.requireGlobalPermission(user, request, perm, tableName,
familyMap);
}
/**
* Checks that the user has the given global permission. The generated
* audit log message will contain context information for the operation
* being authorized, based on the given parameters.
+ * @param user The active user
+ * @param request The request
* @param perm Action being requested
* @param namespace The given namespace
*/
- public void requireGlobalPermission(String request, Action perm,
+ public void requireGlobalPermission(User user, String request, Action perm,
String namespace) throws IOException {
- accessChecker.requireGlobalPermission(getActiveUser(), request, perm,
namespace);
+ accessChecker.requireGlobalPermission(user, request, perm, namespace);
}
/**
* Checks that the user has the given global or namespace permission.
+ * @param user The active user
+ * @param request The request
* @param namespace The given namespace
* @param permissions Actions being requested
*/
- public void requireNamespacePermission(String request, String namespace,
+ public void requireNamespacePermission(User user, String request, String
namespace,
Action... permissions) throws IOException {
- accessChecker.requireNamespacePermission(getActiveUser(), request,
namespace, permissions);
+ accessChecker.requireNamespacePermission(user, request, namespace,
permissions);
}
/**
* Checks that the user has the given global or namespace permission.
- * @param namespace The given namespace
+ * @param user The active user
+ * @param request The request
+ * @param namespace The given namespace
+ * @param tableName The table
+ * @param familyMap The family map
* @param permissions Actions being requested
*/
- public void requireNamespacePermission(String request, String namespace,
TableName tableName,
- Map<byte[], ? extends Collection<byte[]>> familyMap, Action...
permissions)
- throws IOException {
- accessChecker.requireNamespacePermission(getActiveUser(), request,
namespace,
- tableName, familyMap, permissions);
+ public void requireNamespacePermission(User user, String request, String
namespace,
+ TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap,
+ Action... permissions) throws IOException {
+ accessChecker.requireNamespacePermission(user, request, namespace,
tableName, familyMap,
+ permissions);
}
/**
@@ -582,14 +597,13 @@ public class AccessController extends
BaseMasterAndRegionObserver
* @return false if cell ACLs failed to grant access, true otherwise
* @throws IOException
*/
- private boolean checkCoveringPermission(OpType request,
RegionCoprocessorEnvironment e,
+ private boolean checkCoveringPermission(User user, OpType request,
RegionCoprocessorEnvironment e,
byte[] row, Map<byte[], ? extends Collection<?>> familyMap, long opTs,
Action... actions)
throws IOException {
if (!cellFeaturesEnabled) {
return false;
}
long cellGrants = 0;
- User user = getActiveUser();
long latestCellTs = 0;
Get get = new Get(row);
// Only in case of Put/Delete op, consider TS within cell (if set for
individual cells).
@@ -864,8 +878,8 @@ public class AccessController extends
BaseMasterAndRegionObserver
for (byte[] family: families) {
familyMap.put(family, null);
}
- requireNamespacePermission("createTable",
desc.getTableName().getNamespaceAsString(),
- desc.getTableName(), familyMap, Action.CREATE);
+ requireNamespacePermission(getActiveUser(c), "createTable",
+ desc.getTableName().getNamespaceAsString(), desc.getTableName(),
familyMap, Action.CREATE);
}
@Override
@@ -897,7 +911,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
String owner = desc.getOwnerString();
// default the table owner to current user, if not specified.
if (owner == null)
- owner = getActiveUser().getShortName();
+ owner = getActiveUser(c).getShortName();
final UserPermission userperm = new
UserPermission(Bytes.toBytes(owner),
desc.getTableName(), null, Action.values());
// switch to the real hbase master user for doing the RPC on the ACL
table
@@ -916,7 +930,8 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
TableName tableName)
throws IOException {
- requirePermission("deleteTable", tableName, null, null, Action.ADMIN,
Action.CREATE);
+ requirePermission(getActiveUser(c), "deleteTable", tableName, null, null,
+ Action.ADMIN, Action.CREATE);
}
@Override
@@ -937,7 +952,8 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preTruncateTable(ObserverContext<MasterCoprocessorEnvironment> c,
final TableName tableName) throws IOException {
- requirePermission("truncateTable", tableName, null, null, Action.ADMIN,
Action.CREATE);
+ requirePermission(getActiveUser(c), "truncateTable", tableName, null, null,
+ Action.ADMIN, Action.CREATE);
final Configuration conf = c.getEnvironment().getConfiguration();
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@@ -975,7 +991,8 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
TableName tableName,
HTableDescriptor htd) throws IOException {
- requirePermission("modifyTable", tableName, null, null, Action.ADMIN,
Action.CREATE);
+ requirePermission(getActiveUser(c), "modifyTable", tableName, null, null,
+ Action.ADMIN, Action.CREATE);
}
@Override
@@ -984,7 +1001,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
final Configuration conf = c.getEnvironment().getConfiguration();
// default the table owner to current user, if not specified.
final String owner = (htd.getOwnerString() != null) ? htd.getOwnerString()
:
- getActiveUser().getShortName();
+ getActiveUser(c).getShortName();
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
@@ -1000,21 +1017,22 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> c,
TableName tableName,
HColumnDescriptor column) throws IOException {
- requireTablePermission("addColumn", tableName, column.getName(), null,
Action.ADMIN,
- Action.CREATE);
+ requireTablePermission(getActiveUser(c), "addColumn", tableName,
column.getName(), null,
+ Action.ADMIN, Action.CREATE);
}
@Override
public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c,
TableName tableName,
HColumnDescriptor descriptor) throws IOException {
- requirePermission("modifyColumn", tableName, descriptor.getName(), null,
Action.ADMIN,
- Action.CREATE);
+ requirePermission(getActiveUser(c), "modifyColumn", tableName,
descriptor.getName(), null,
+ Action.ADMIN, Action.CREATE);
}
@Override
public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c,
TableName tableName,
byte[] col) throws IOException {
- requirePermission("deleteColumn", tableName, col, null, Action.ADMIN,
Action.CREATE);
+ requirePermission(getActiveUser(c), "deleteColumn", tableName, col, null,
Action.ADMIN,
+ Action.CREATE);
}
@Override
@@ -1034,7 +1052,8 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
TableName tableName)
throws IOException {
- requirePermission("enableTable", tableName, null, null, Action.ADMIN,
Action.CREATE);
+ requirePermission(getActiveUser(c), "enableTable", tableName, null, null,
+ Action.ADMIN, Action.CREATE);
}
@Override
@@ -1048,7 +1067,8 @@ public class AccessController extends
BaseMasterAndRegionObserver
throw new AccessDeniedException("Not allowed to disable "
+ AccessControlLists.ACL_TABLE_NAME + " table with AccessController
installed");
}
- requirePermission("disableTable", tableName, null, null, Action.ADMIN,
Action.CREATE);
+ requirePermission(getActiveUser(c), "disableTable", tableName, null, null,
+ Action.ADMIN, Action.CREATE);
}
@Override
@@ -1056,10 +1076,10 @@ public class AccessController extends
BaseMasterAndRegionObserver
ObserverContext<MasterCoprocessorEnvironment> ctx,
final ProcedureExecutor<MasterProcedureEnv> procEnv,
final long procId) throws IOException {
- if (!procEnv.isProcedureOwner(procId, getActiveUser())) {
+ if (!procEnv.isProcedureOwner(procId, getActiveUser(ctx))) {
// If the user is not the procedure owner, then we should further probe
whether
// he can abort the procedure.
- requirePermission("abortProcedure", Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "abortProcedure", Action.ADMIN);
}
}
@@ -1087,14 +1107,14 @@ public class AccessController extends
BaseMasterAndRegionObserver
// Retains only those which passes authorization checks, as the checks
weren't done as part
// of preListProcedures.
Iterator<ProcedureInfo> itr = procInfoList.iterator();
- User user = getActiveUser();
+ User user = getActiveUser(ctx);
while (itr.hasNext()) {
ProcedureInfo procInfo = itr.next();
try {
if (!ProcedureInfo.isProcedureOwner(procInfo, user)) {
// If the user is not the procedure owner, then we should further
probe whether
// he can see the procedure.
- requirePermission("listProcedures", Action.ADMIN);
+ requirePermission(user, "listProcedures", Action.ADMIN);
}
} catch (AccessDeniedException e) {
itr.remove();
@@ -1105,31 +1125,34 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preMove(ObserverContext<MasterCoprocessorEnvironment> c,
HRegionInfo region,
ServerName srcServer, ServerName destServer) throws IOException {
- requirePermission("move", region.getTable(), null, null, Action.ADMIN);
+ requirePermission(getActiveUser(c), "move", region.getTable(), null, null,
Action.ADMIN);
}
@Override
public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c,
HRegionInfo regionInfo)
throws IOException {
- requirePermission("assign", regionInfo.getTable(), null, null,
Action.ADMIN);
+ requirePermission(getActiveUser(c), "assign", regionInfo.getTable(), null,
null,
+ Action.ADMIN);
}
@Override
public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c,
HRegionInfo regionInfo,
boolean force) throws IOException {
- requirePermission("unassign", regionInfo.getTable(), null, null,
Action.ADMIN);
+ requirePermission(getActiveUser(c), "unassign", regionInfo.getTable(),
null, null,
+ Action.ADMIN);
}
@Override
public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> c,
HRegionInfo regionInfo) throws IOException {
- requirePermission("regionOffline", regionInfo.getTable(), null, null,
Action.ADMIN);
+ requirePermission(getActiveUser(c), "regionOffline",
regionInfo.getTable(), null, null,
+ Action.ADMIN);
}
@Override
public boolean preSetSplitOrMergeEnabled(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
final boolean newValue, final Admin.MasterSwitchType switchType) throws
IOException {
- requirePermission("setSplitOrMergeEnabled", Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "setSplitOrMergeEnabled",
Action.ADMIN);
return false;
}
@@ -1141,26 +1164,26 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c)
throws IOException {
- requirePermission("balance", Action.ADMIN);
+ requirePermission(getActiveUser(c), "balance", Action.ADMIN);
}
@Override
public boolean
preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c,
boolean newValue) throws IOException {
- requirePermission("balanceSwitch", Action.ADMIN);
+ requirePermission(getActiveUser(c), "balanceSwitch", Action.ADMIN);
return newValue;
}
@Override
public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c)
throws IOException {
- requirePermission("shutdown", Action.ADMIN);
+ requirePermission(getActiveUser(c), "shutdown", Action.ADMIN);
}
@Override
public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c)
throws IOException {
- requirePermission("stopMaster", Action.ADMIN);
+ requirePermission(getActiveUser(c), "stopMaster", Action.ADMIN);
}
@Override
@@ -1179,21 +1202,21 @@ public class AccessController extends
BaseMasterAndRegionObserver
public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment>
ctx,
final SnapshotDescription snapshot, final HTableDescriptor
hTableDescriptor)
throws IOException {
- requirePermission("snapshot " + snapshot.getName(),
hTableDescriptor.getTableName(), null, null,
- Permission.Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "snapshot " + snapshot.getName(),
+ hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
}
@Override
public void preListSnapshot(ObserverContext<MasterCoprocessorEnvironment>
ctx,
final SnapshotDescription snapshot) throws IOException {
- User user = getActiveUser();
+ User user = getActiveUser(ctx);
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
// list it, if user is the owner of snapshot
AuthResult result = AuthResult.allow("listSnapshot " +
snapshot.getName(),
- "Snapshot owner check allowed", user, null, null, null);
+ "Snapshot owner check allowed", user, null, null, null);
accessChecker.logResult(result);
} else {
- requirePermission("listSnapshot " + snapshot.getName(), Action.ADMIN);
+ requirePermission(user, "listSnapshot " + snapshot.getName(),
Action.ADMIN);
}
}
@@ -1201,7 +1224,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
public void preCloneSnapshot(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot, final HTableDescriptor
hTableDescriptor)
throws IOException {
- User user = getActiveUser();
+ User user = getActiveUser(ctx);
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)
&& hTableDescriptor.getNameAsString().equals(snapshot.getTable())) {
// Snapshot owner is allowed to create a table with the same name as the
snapshot he took
@@ -1209,7 +1232,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
"Snapshot owner check allowed", user, null,
hTableDescriptor.getTableName(), null);
accessChecker.logResult(result);
} else {
- requirePermission("cloneSnapshot " + snapshot.getName(), Action.ADMIN);
+ requirePermission(user, "cloneSnapshot " + snapshot.getName(),
Action.ADMIN);
}
}
@@ -1217,38 +1240,39 @@ public class AccessController extends
BaseMasterAndRegionObserver
public void preRestoreSnapshot(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot, final HTableDescriptor
hTableDescriptor)
throws IOException {
- if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, getActiveUser())) {
- requirePermission("restoreSnapshot " + snapshot.getName(),
hTableDescriptor.getTableName(), null, null,
- Permission.Action.ADMIN);
+ User user = getActiveUser(ctx);
+ if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
+ requirePermission(user, "restoreSnapshot " + snapshot.getName(),
+ hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
} else {
- requirePermission("restoreSnapshot " + snapshot.getName(), Action.ADMIN);
+ requirePermission(user, "restoreSnapshot " + snapshot.getName(),
Action.ADMIN);
}
}
@Override
public void preDeleteSnapshot(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot) throws IOException {
- User user = getActiveUser();
+ User user = getActiveUser(ctx);
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
// Snapshot owner is allowed to delete the snapshot
AuthResult result = AuthResult.allow("deleteSnapshot " +
snapshot.getName(),
"Snapshot owner check allowed", user, null, null, null);
accessChecker.logResult(result);
} else {
- requirePermission("deleteSnapshot " + snapshot.getName(), Action.ADMIN);
+ requirePermission(user, "deleteSnapshot", Action.ADMIN);
}
}
@Override
public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment>
ctx,
NamespaceDescriptor ns) throws IOException {
- requireGlobalPermission("createNamespace", Action.ADMIN, ns.getName());
+ requireGlobalPermission(getActiveUser(ctx), "createNamespace",
Action.ADMIN, ns.getName());
}
@Override
public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment>
ctx, String namespace)
throws IOException {
- requireGlobalPermission("deleteNamespace", Action.ADMIN, namespace);
+ requireGlobalPermission(getActiveUser(ctx), "deleteNamespace",
Action.ADMIN, namespace);
}
@Override
@@ -1272,13 +1296,14 @@ public class AccessController extends
BaseMasterAndRegionObserver
NamespaceDescriptor ns) throws IOException {
// We require only global permission so that
// a user with NS admin cannot altering namespace configurations. i.e.
namespace quota
- requireGlobalPermission("modifyNamespace", Action.ADMIN, ns.getName());
+ requireGlobalPermission(getActiveUser(ctx), "modifyNamespace",
Action.ADMIN, ns.getName());
}
@Override
- public void
preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx,
String namespace)
- throws IOException {
- requireNamespacePermission("getNamespaceDescriptor", namespace,
Action.ADMIN);
+ public void
preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx,
+ String namespace) throws IOException {
+ requireNamespacePermission(getActiveUser(ctx), "getNamespaceDescriptor",
namespace,
+ Action.ADMIN);
}
@Override
@@ -1287,10 +1312,11 @@ public class AccessController extends
BaseMasterAndRegionObserver
// Retains only those which passes authorization checks, as the checks
weren't done as part
// of preGetTableDescriptors.
Iterator<NamespaceDescriptor> itr = descriptors.iterator();
+ User user = getActiveUser(ctx);
while (itr.hasNext()) {
NamespaceDescriptor desc = itr.next();
try {
- requireNamespacePermission("listNamespaces", desc.getName(),
Action.ADMIN);
+ requireNamespacePermission(user, "listNamespaces", desc.getName(),
Action.ADMIN);
} catch (AccessDeniedException e) {
itr.remove();
}
@@ -1300,24 +1326,25 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preTableFlush(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
final TableName tableName) throws IOException {
- requirePermission("flushTable", tableName, null, null, Action.ADMIN,
Action.CREATE);
+ requirePermission(getActiveUser(ctx), "flushTable", tableName, null, null,
+ Action.ADMIN, Action.CREATE);
}
/* ---- RegionObserver implementation ---- */
@Override
- public void preOpen(ObserverContext<RegionCoprocessorEnvironment> e)
+ public void preOpen(ObserverContext<RegionCoprocessorEnvironment> c)
throws IOException {
- RegionCoprocessorEnvironment env = e.getEnvironment();
+ RegionCoprocessorEnvironment env = c.getEnvironment();
final Region region = env.getRegion();
if (region == null) {
LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
} else {
HRegionInfo regionInfo = region.getRegionInfo();
if (regionInfo.getTable().isSystemTable()) {
- checkSystemOrSuperUser();
+ checkSystemOrSuperUser(getActiveUser(c));
} else {
- requirePermission("preOpen", Action.ADMIN);
+ requirePermission(getActiveUser(c), "preOpen", Action.ADMIN);
}
}
}
@@ -1361,28 +1388,30 @@ public class AccessController extends
BaseMasterAndRegionObserver
}
@Override
- public void preFlush(ObserverContext<RegionCoprocessorEnvironment> e) throws
IOException {
- requirePermission("flush", getTableName(e.getEnvironment()), null, null,
Action.ADMIN,
- Action.CREATE);
+ public void preFlush(ObserverContext<RegionCoprocessorEnvironment> c) throws
IOException {
+ requirePermission(getActiveUser(c), "flush",
getTableName(c.getEnvironment()), null, null,
+ Action.ADMIN, Action.CREATE);
}
@Override
- public void preSplit(ObserverContext<RegionCoprocessorEnvironment> e) throws
IOException {
- requirePermission("split", getTableName(e.getEnvironment()), null, null,
Action.ADMIN);
+ public void preSplit(ObserverContext<RegionCoprocessorEnvironment> c) throws
IOException {
+ requirePermission(getActiveUser(c), "split",
getTableName(c.getEnvironment()), null, null,
+ Action.ADMIN);
}
@Override
- public void preSplit(ObserverContext<RegionCoprocessorEnvironment> e,
+ public void preSplit(ObserverContext<RegionCoprocessorEnvironment> c,
byte[] splitRow) throws IOException {
- requirePermission("split", getTableName(e.getEnvironment()), null, null,
Action.ADMIN);
+ requirePermission(getActiveUser(c), "split",
getTableName(c.getEnvironment()), null, null,
+ Action.ADMIN);
}
@Override
- public InternalScanner
preCompact(ObserverContext<RegionCoprocessorEnvironment> e,
+ public InternalScanner
preCompact(ObserverContext<RegionCoprocessorEnvironment> c,
final Store store, final InternalScanner scanner, final ScanType
scanType)
throws IOException {
- requirePermission("compact", getTableName(e.getEnvironment()), null, null,
Action.ADMIN,
- Action.CREATE);
+ requirePermission(getActiveUser(c), "compact",
getTableName(c.getEnvironment()), null, null,
+ Action.ADMIN, Action.CREATE);
return scanner;
}
@@ -1393,11 +1422,11 @@ public class AccessController extends
BaseMasterAndRegionObserver
assert family != null;
RegionCoprocessorEnvironment env = c.getEnvironment();
Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family,
null);
- User user = getActiveUser();
+ User user = getActiveUser(c);
AuthResult authResult = permissionGranted(OpType.GET_CLOSEST_ROW_BEFORE,
user, env, families,
Action.READ);
if (!authResult.isAllowed() && cellFeaturesEnabled &&
!compatibleEarlyTermination) {
-
authResult.setAllowed(checkCoveringPermission(OpType.GET_CLOSEST_ROW_BEFORE,
env, row,
+ authResult.setAllowed(checkCoveringPermission(user,
OpType.GET_CLOSEST_ROW_BEFORE, env, row,
families, HConstants.LATEST_TIMESTAMP, Action.READ));
authResult.setReason("Covering cell set");
}
@@ -1415,7 +1444,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
if (filter != null && filter instanceof AccessControlFilter) {
return;
}
- User user = getActiveUser();
+ User user = getActiveUser(c);
RegionCoprocessorEnvironment env = c.getEnvironment();
Map<byte[],? extends Collection<byte[]>> families = null;
switch (opType) {
@@ -1528,7 +1557,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
public void prePut(final ObserverContext<RegionCoprocessorEnvironment> c,
final Put put, final WALEdit edit, final Durability durability)
throws IOException {
- User user = getActiveUser();
+ User user = getActiveUser(c);
checkForReservedTagPresence(user, put);
// Require WRITE permission to the table, CF, or top visible value, if any.
@@ -1583,7 +1612,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
// by a tombstone already) then we have to disallow this operation.
RegionCoprocessorEnvironment env = c.getEnvironment();
Map<byte[],? extends Collection<Cell>> families =
delete.getFamilyCellMap();
- User user = getActiveUser();
+ User user = getActiveUser(c);
AuthResult authResult = permissionGranted(OpType.DELETE, user, env,
families, Action.WRITE);
accessChecker.logResult(authResult);
if (!authResult.isAllowed()) {
@@ -1601,6 +1630,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {
if (cellFeaturesEnabled && !compatibleEarlyTermination) {
TableName table =
c.getEnvironment().getRegion().getRegionInfo().getTable();
+ User user = getActiveUser(c);
for (int i = 0; i < miniBatchOp.size(); i++) {
Mutation m = miniBatchOp.getOperation(i);
if (m.getAttribute(CHECK_COVERING_PERM) != null) {
@@ -1608,19 +1638,19 @@ public class AccessController extends
BaseMasterAndRegionObserver
// perm check
OpType opType;
if (m instanceof Put) {
- checkForReservedTagPresence(getActiveUser(), m);
+ checkForReservedTagPresence(user, m);
opType = OpType.PUT;
} else {
opType = OpType.DELETE;
}
AuthResult authResult = null;
- if (checkCoveringPermission(opType, c.getEnvironment(), m.getRow(),
+ if (checkCoveringPermission(user, opType, c.getEnvironment(),
m.getRow(),
m.getFamilyCellMap(), m.getTimeStamp(), Action.WRITE)) {
authResult = AuthResult.allow(opType.toString(), "Covering cell
set",
- getActiveUser(), Action.WRITE, table, m.getFamilyCellMap());
+ user, Action.WRITE, table, m.getFamilyCellMap());
} else {
authResult = AuthResult.deny(opType.toString(), "Covering cell
set",
- getActiveUser(), Action.WRITE, table, m.getFamilyCellMap());
+ user, Action.WRITE, table, m.getFamilyCellMap());
}
accessChecker.logResult(authResult);
if (authorizationEnabled && !authResult.isAllowed()) {
@@ -1647,7 +1677,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
final CompareFilter.CompareOp compareOp,
final ByteArrayComparable comparator, final Put put,
final boolean result) throws IOException {
- User user = getActiveUser();
+ User user = getActiveUser(c);
checkForReservedTagPresence(user, put);
// Require READ and WRITE permissions on the table, CF, and KV to update
@@ -1687,13 +1717,14 @@ public class AccessController extends
BaseMasterAndRegionObserver
TableName table =
c.getEnvironment().getRegion().getRegionInfo().getTable();
Map<byte[], ? extends Collection<byte[]>> families =
makeFamilyMap(family, qualifier);
AuthResult authResult = null;
- if (checkCoveringPermission(OpType.CHECK_AND_PUT, c.getEnvironment(),
row, families,
+ User user = getActiveUser(c);
+ if (checkCoveringPermission(user, OpType.CHECK_AND_PUT,
c.getEnvironment(), row, families,
HConstants.LATEST_TIMESTAMP, Action.READ)) {
authResult = AuthResult.allow(OpType.CHECK_AND_PUT.toString(),
"Covering cell set",
- getActiveUser(), Action.READ, table, families);
+ user, Action.READ, table, families);
} else {
authResult = AuthResult.deny(OpType.CHECK_AND_PUT.toString(),
"Covering cell set",
- getActiveUser(), Action.READ, table, families);
+ user, Action.READ, table, families);
}
accessChecker.logResult(authResult);
if (authorizationEnabled && !authResult.isAllowed()) {
@@ -1718,7 +1749,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
// by the delete
RegionCoprocessorEnvironment env = c.getEnvironment();
Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family,
qualifier);
- User user = getActiveUser();
+ User user = getActiveUser(c);
AuthResult authResult = permissionGranted(OpType.CHECK_AND_DELETE, user,
env, families,
Action.READ, Action.WRITE);
accessChecker.logResult(authResult);
@@ -1745,13 +1776,14 @@ public class AccessController extends
BaseMasterAndRegionObserver
TableName table =
c.getEnvironment().getRegion().getRegionInfo().getTable();
Map<byte[], ? extends Collection<byte[]>> families =
makeFamilyMap(family, qualifier);
AuthResult authResult = null;
- if (checkCoveringPermission(OpType.CHECK_AND_DELETE, c.getEnvironment(),
row, families,
+ User user = getActiveUser(c);
+ if (checkCoveringPermission(user, OpType.CHECK_AND_DELETE,
c.getEnvironment(), row, families,
HConstants.LATEST_TIMESTAMP, Action.READ)) {
authResult = AuthResult.allow(OpType.CHECK_AND_DELETE.toString(),
"Covering cell set",
- getActiveUser(), Action.READ, table, families);
+ user, Action.READ, table, families);
} else {
authResult = AuthResult.deny(OpType.CHECK_AND_DELETE.toString(),
"Covering cell set",
- getActiveUser(), Action.READ, table, families);
+ user, Action.READ, table, families);
}
accessChecker.logResult(authResult);
if (authorizationEnabled && !authResult.isAllowed()) {
@@ -1770,11 +1802,11 @@ public class AccessController extends
BaseMasterAndRegionObserver
// incremented value
RegionCoprocessorEnvironment env = c.getEnvironment();
Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family,
qualifier);
- User user = getActiveUser();
+ User user = getActiveUser(c);
AuthResult authResult = permissionGranted(OpType.INCREMENT_COLUMN_VALUE,
user, env, families,
Action.WRITE);
if (!authResult.isAllowed() && cellFeaturesEnabled &&
!compatibleEarlyTermination) {
-
authResult.setAllowed(checkCoveringPermission(OpType.INCREMENT_COLUMN_VALUE,
env, row,
+ authResult.setAllowed(checkCoveringPermission(user,
OpType.INCREMENT_COLUMN_VALUE, env, row,
families, HConstants.LATEST_TIMESTAMP, Action.WRITE));
authResult.setReason("Covering cell set");
}
@@ -1788,7 +1820,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c,
Append append)
throws IOException {
- User user = getActiveUser();
+ User user = getActiveUser(c);
checkForReservedTagPresence(user, append);
// Require WRITE permission to the table, CF, and the KV to be appended
@@ -1825,13 +1857,14 @@ public class AccessController extends
BaseMasterAndRegionObserver
// perm check
TableName table =
c.getEnvironment().getRegion().getRegionInfo().getTable();
AuthResult authResult = null;
- if (checkCoveringPermission(OpType.APPEND, c.getEnvironment(),
append.getRow(),
+ User user = getActiveUser(c);
+ if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(),
append.getRow(),
append.getFamilyCellMap(), HConstants.LATEST_TIMESTAMP,
Action.WRITE)) {
authResult = AuthResult.allow(OpType.APPEND.toString(), "Covering cell
set",
- getActiveUser(), Action.WRITE, table, append.getFamilyCellMap());
+ user, Action.WRITE, table, append.getFamilyCellMap());
} else {
authResult = AuthResult.deny(OpType.APPEND.toString(), "Covering cell
set",
- getActiveUser(), Action.WRITE, table, append.getFamilyCellMap());
+ user, Action.WRITE, table, append.getFamilyCellMap());
}
accessChecker.logResult(authResult);
if (authorizationEnabled && !authResult.isAllowed()) {
@@ -1846,7 +1879,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
public Result preIncrement(final
ObserverContext<RegionCoprocessorEnvironment> c,
final Increment increment)
throws IOException {
- User user = getActiveUser();
+ User user = getActiveUser(c);
checkForReservedTagPresence(user, increment);
// Require WRITE permission to the table, CF, and the KV to be replaced by
@@ -1885,13 +1918,14 @@ public class AccessController extends
BaseMasterAndRegionObserver
// perm check
TableName table =
c.getEnvironment().getRegion().getRegionInfo().getTable();
AuthResult authResult = null;
- if (checkCoveringPermission(OpType.INCREMENT, c.getEnvironment(),
increment.getRow(),
+ User user = getActiveUser(c);
+ if (checkCoveringPermission(user, OpType.INCREMENT, c.getEnvironment(),
increment.getRow(),
increment.getFamilyCellMap(), increment.getTimeRange().getMax(),
Action.WRITE)) {
authResult = AuthResult.allow(OpType.INCREMENT.toString(), "Covering
cell set",
- getActiveUser(), Action.WRITE, table,
increment.getFamilyCellMap());
+ user, Action.WRITE, table, increment.getFamilyCellMap());
} else {
authResult = AuthResult.deny(OpType.INCREMENT.toString(), "Covering
cell set",
- getActiveUser(), Action.WRITE, table,
increment.getFamilyCellMap());
+ user, Action.WRITE, table, increment.getFamilyCellMap());
}
accessChecker.logResult(authResult);
if (authorizationEnabled && !authResult.isAllowed()) {
@@ -1981,7 +2015,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public RegionScanner postScannerOpen(final
ObserverContext<RegionCoprocessorEnvironment> c,
final Scan scan, final RegionScanner s) throws IOException {
- User user = getActiveUser();
+ User user = getActiveUser(c);
if (user != null && user.getShortName() != null) {
// store reference to scanner owner for later checks
scannerOwners.put(s, user.getShortName());
@@ -2034,8 +2068,9 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preBulkLoadHFile(ObserverContext<RegionCoprocessorEnvironment>
ctx,
List<Pair<byte[], String>> familyPaths) throws IOException {
+ User user = getActiveUser(ctx);
for(Pair<byte[],String> el : familyPaths) {
- requirePermission("preBulkLoadHFile",
+ requirePermission(user, "preBulkLoadHFile",
ctx.getEnvironment().getRegion().getTableDesc().getTableName(),
el.getFirst(),
null,
@@ -2053,7 +2088,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment>
ctx,
PrepareBulkLoadRequest request) throws
IOException {
- requireAccess("prePareBulkLoad",
+ requireAccess(getActiveUser(ctx), "prePrepareBulkLoad",
ctx.getEnvironment().getRegion().getTableDesc().getTableName(),
Action.CREATE);
}
@@ -2067,7 +2102,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment>
ctx,
CleanupBulkLoadRequest request) throws
IOException {
- requireAccess("preCleanupBulkLoad",
+ requireAccess(getActiveUser(ctx), "preCleanupBulkLoad",
ctx.getEnvironment().getRegion().getTableDesc().getTableName(),
Action.CREATE);
}
@@ -2079,10 +2114,10 @@ public class AccessController extends
BaseMasterAndRegionObserver
// Don't intercept calls to our own AccessControlService, we check for
// appropriate permissions in the service handlers
if (shouldCheckExecPermission && !(service instanceof
AccessControlService)) {
- requirePermission("invoke(" + service.getDescriptorForType().getName() +
"." +
- methodName + ")",
- getTableName(ctx.getEnvironment()), null, null,
- Action.EXEC);
+ requirePermission(getActiveUser(ctx),
+ "invoke(" + service.getDescriptorForType().getName() + "." +
methodName + ")",
+ getTableName(ctx.getEnvironment()), null, null,
+ Action.EXEC);
}
return request;
}
@@ -2109,15 +2144,16 @@ public class AccessController extends
BaseMasterAndRegionObserver
if (LOG.isDebugEnabled()) {
LOG.debug("Received request to grant access permission " +
perm.toString());
}
+ User caller = RpcServer.getRequestUser();
switch(request.getUserPermission().getPermission().getType()) {
case Global :
case Table :
- requirePermission("grant", perm.getTableName(), perm.getFamily(),
- perm.getQualifier(), Action.ADMIN);
+ requirePermission(caller, "grant", perm.getTableName(),
+ perm.getFamily(), perm.getQualifier(), Action.ADMIN);
break;
case Namespace :
- requireNamespacePermission("grant", perm.getNamespace(),
Action.ADMIN);
+ requireNamespacePermission(caller, "grant", perm.getNamespace(),
Action.ADMIN);
break;
}
@@ -2162,15 +2198,16 @@ public class AccessController extends
BaseMasterAndRegionObserver
if (LOG.isDebugEnabled()) {
LOG.debug("Received request to revoke access permission " +
perm.toString());
}
+ User caller = RpcServer.getRequestUser();
switch(request.getUserPermission().getPermission().getType()) {
case Global :
case Table :
- requirePermission("revoke", perm.getTableName(), perm.getFamily(),
+ requirePermission(caller, "revoke", perm.getTableName(),
perm.getFamily(),
perm.getQualifier(), Action.ADMIN);
break;
case Namespace :
- requireNamespacePermission("revoke", perm.getNamespace(),
Action.ADMIN);
+ requireNamespacePermission(caller, "revoke", perm.getNamespace(),
Action.ADMIN);
break;
}
@@ -2209,11 +2246,13 @@ public class AccessController extends
BaseMasterAndRegionObserver
if (!initialized) {
throw new CoprocessorException("AccessController not yet
initialized");
}
+ User caller = RpcServer.getRequestUser();
+
List<UserPermission> perms = null;
if (request.getType() == AccessControlProtos.Permission.Type.Table) {
final TableName table = request.hasTableName() ?
ProtobufUtil.toTableName(request.getTableName()) : null;
- requirePermission("userPermissions", table, null, null,
Action.ADMIN);
+ requirePermission(caller, "userPermissions", table, null, null,
Action.ADMIN);
perms = User.runAsLoginUser(new
PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
@@ -2222,7 +2261,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
});
} else if (request.getType() ==
AccessControlProtos.Permission.Type.Namespace) {
final String namespace = request.getNamespaceName().toStringUtf8();
- requireNamespacePermission("userPermissions", namespace,
Action.ADMIN);
+ requireNamespacePermission(caller, "userPermissions", namespace,
Action.ADMIN);
perms = User.runAsLoginUser(new
PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
@@ -2231,7 +2270,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
}
});
} else {
- requirePermission("userPermissions", Action.ADMIN);
+ requirePermission(caller, "userPermissions", Action.ADMIN);
perms = User.runAsLoginUser(new
PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
@@ -2268,7 +2307,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
}
AccessControlProtos.CheckPermissionsResponse response = null;
try {
- User user = getActiveUser();
+ User user = RpcServer.getRequestUser();
TableName tableName =
regionEnv.getRegion().getTableDesc().getTableName();
for (Permission permission : permissions) {
if (permission instanceof TablePermission) {
@@ -2362,17 +2401,16 @@ public class AccessController extends
BaseMasterAndRegionObserver
}
@Override
- public void preClose(ObserverContext<RegionCoprocessorEnvironment> e,
boolean abortRequested)
+ public void preClose(ObserverContext<RegionCoprocessorEnvironment> c,
boolean abortRequested)
throws IOException {
- requirePermission("preClose", Action.ADMIN);
+ requirePermission(getActiveUser(c), "preClose", Action.ADMIN);
}
- private void checkSystemOrSuperUser() throws IOException {
+ private void checkSystemOrSuperUser(User activeUser) throws IOException {
// No need to check if we're not going to throw
if (!authorizationEnabled) {
return;
}
- User activeUser = getActiveUser();
if (!Superusers.isSuperUser(activeUser)) {
throw new AccessDeniedException("User '" + (activeUser != null ?
activeUser.getShortName() : "null") + "' is not system or super
user.");
@@ -2381,9 +2419,9 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preStopRegionServer(
- ObserverContext<RegionServerCoprocessorEnvironment> env)
+ ObserverContext<RegionServerCoprocessorEnvironment> ctx)
throws IOException {
- requirePermission("preStopRegionServer", Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "preStopRegionServer", Action.ADMIN);
}
private Map<byte[], ? extends Collection<byte[]>> makeFamilyMap(byte[]
family,
@@ -2412,7 +2450,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
if (masterServices.getTableDescriptors().get(tableName) == null) {
continue;
}
- requirePermission("getTableDescriptors", tableName, null, null,
+ requirePermission(getActiveUser(ctx), "getTableDescriptors",
tableName, null, null,
Action.ADMIN, Action.CREATE);
}
}
@@ -2433,7 +2471,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
while (itr.hasNext()) {
HTableDescriptor htd = itr.next();
try {
- requirePermission("getTableDescriptors", htd.getTableName(), null,
null,
+ requirePermission(getActiveUser(ctx), "getTableDescriptors",
htd.getTableName(), null, null,
Action.ADMIN, Action.CREATE);
} catch (AccessDeniedException e) {
itr.remove();
@@ -2449,7 +2487,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
while (itr.hasNext()) {
HTableDescriptor htd = itr.next();
try {
- requireAccess("getTableNames", htd.getTableName(), Action.values());
+ requireAccess(getActiveUser(ctx), "getTableNames", htd.getTableName(),
Action.values());
} catch (AccessDeniedException e) {
itr.remove();
}
@@ -2459,14 +2497,14 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preDispatchMerge(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
HRegionInfo regionA, HRegionInfo regionB) throws IOException {
- requirePermission("mergeRegions", regionA.getTable(), null, null,
+ requirePermission(getActiveUser(ctx), "mergeRegions", regionA.getTable(),
null, null,
Action.ADMIN);
}
@Override
public void
preClearDeadServers(ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
- requirePermission("clearDeadServers", Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "clearDeadServers", Action.ADMIN);
}
@Override
@@ -2476,8 +2514,8 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preMerge(ObserverContext<RegionServerCoprocessorEnvironment>
ctx, Region regionA,
Region regionB) throws IOException {
- requirePermission("mergeRegions", regionA.getTableDesc().getTableName(),
null, null,
- Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "mergeRegions",
regionA.getTableDesc().getTableName(),
+ null, null, Action.ADMIN);
}
@Override
@@ -2503,7 +2541,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void
preRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
throws IOException {
- requirePermission("preRollLogWriterRequest", Permission.Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "preRollLogWriterRequest",
Permission.Action.ADMIN);
}
@Override
@@ -2519,7 +2557,7 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void
preReplicateLogEntries(ObserverContext<RegionServerCoprocessorEnvironment> ctx,
List<WALEntry> entries, CellScanner cells) throws IOException {
- requirePermission("replicateLogEntries", Action.WRITE);
+ requirePermission(getActiveUser(ctx), "replicateLogEntries", Action.WRITE);
}
@Override
@@ -2530,31 +2568,31 @@ public class AccessController extends
BaseMasterAndRegionObserver
@Override
public void preSetUserQuota(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
final String userName, final Quotas quotas) throws IOException {
- requirePermission("setUserQuota", Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "setUserQuota", Action.ADMIN);
}
@Override
public void preSetUserQuota(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
final String userName, final TableName tableName, final Quotas quotas)
throws IOException {
- requirePermission("setUserTableQuota", tableName, null, null,
Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "setUserTableQuota", tableName,
null, null, Action.ADMIN);
}
@Override
public void preSetUserQuota(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
final String userName, final String namespace, final Quotas quotas)
throws IOException {
- requirePermission("setUserNamespaceQuota", Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "setUserNamespaceQuota",
Action.ADMIN);
}
@Override
public void preSetTableQuota(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
final TableName tableName, final Quotas quotas) throws IOException {
- requirePermission("setTableQuota", tableName, null, null, Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "setTableQuota", tableName, null,
null, Action.ADMIN);
}
@Override
public void preSetNamespaceQuota(final
ObserverContext<MasterCoprocessorEnvironment> ctx,
final String namespace, final Quotas quotas) throws IOException {
- requirePermission("setNamespaceQuota", Action.ADMIN);
+ requirePermission(getActiveUser(ctx), "setNamespaceQuota", Action.ADMIN);
}
@Override
diff --git
a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java
index f400fd4..2cd5c50 100644
---
a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java
+++
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java
@@ -198,24 +198,20 @@ public class SecureBulkLoadEndpoint extends
SecureBulkLoadService
}
@Override
- public void prepareBulkLoad(RpcController controller,
- PrepareBulkLoadRequest
request,
-
RpcCallback<PrepareBulkLoadResponse> done){
+ public void prepareBulkLoad(RpcController controller, PrepareBulkLoadRequest
request,
+ RpcCallback<PrepareBulkLoadResponse> done) {
try {
List<BulkLoadObserver> bulkLoadObservers = getBulkLoadObservers();
-
- if(bulkLoadObservers != null) {
+ if (bulkLoadObservers != null) {
ObserverContext<RegionCoprocessorEnvironment> ctx =
- new
ObserverContext<RegionCoprocessorEnvironment>();
+ new
ObserverContext<RegionCoprocessorEnvironment>(RpcServer.getRequestUser());
ctx.prepare(env);
-
- for(BulkLoadObserver bulkLoadObserver : bulkLoadObservers) {
+ for (BulkLoadObserver bulkLoadObserver : bulkLoadObservers) {
bulkLoadObserver.prePrepareBulkLoad(ctx, request);
}
}
-
- String bulkToken = createStagingDir(baseStagingDir,
- getActiveUser(),
ProtobufUtil.toTableName(request.getTableName())).toString();
+ String bulkToken = createStagingDir(baseStagingDir, getActiveUser(),
+ ProtobufUtil.toTableName(request.getTableName())).toString();
done.run(PrepareBulkLoadResponse.newBuilder().setBulkToken(bulkToken).build());
} catch (IOException e) {
ResponseConverter.setControllerException(controller, e);
@@ -224,22 +220,18 @@ public class SecureBulkLoadEndpoint extends
SecureBulkLoadService
}
@Override
- public void cleanupBulkLoad(RpcController controller,
- CleanupBulkLoadRequest request,
- RpcCallback<CleanupBulkLoadResponse> done) {
+ public void cleanupBulkLoad(RpcController controller, CleanupBulkLoadRequest
request,
+ RpcCallback<CleanupBulkLoadResponse> done) {
try {
List<BulkLoadObserver> bulkLoadObservers = getBulkLoadObservers();
-
- if(bulkLoadObservers != null) {
+ if (bulkLoadObservers != null) {
ObserverContext<RegionCoprocessorEnvironment> ctx =
- new
ObserverContext<RegionCoprocessorEnvironment>();
+ new
ObserverContext<RegionCoprocessorEnvironment>(RpcServer.getRequestUser());
ctx.prepare(env);
-
- for(BulkLoadObserver bulkLoadObserver : bulkLoadObservers) {
+ for (BulkLoadObserver bulkLoadObserver : bulkLoadObservers) {
bulkLoadObserver.preCleanupBulkLoad(ctx, request);
}
}
-
Path path = new Path(request.getBulkToken());
if (!fs.delete(path, true)) {
if (fs.exists(path)) {
@@ -267,6 +259,7 @@ public class SecureBulkLoadEndpoint extends
SecureBulkLoadService
interface Consumer<T> {
void accept(T t);
}
+
private static Consumer<Region> fsCreatedListener;
@VisibleForTesting
@@ -274,7 +267,6 @@ public class SecureBulkLoadEndpoint extends
SecureBulkLoadService
fsCreatedListener = listener;
}
-
private void incrementUgiReference(UserGroupInformation ugi) {
synchronized (ugiReferenceCounter) {
final MutableInt counter = ugiReferenceCounter.get(ugi);
