This is an automated email from the ASF dual-hosted git repository.
rajeshbabu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/phoenix.git
The following commit(s) were added to refs/heads/master by this push:
new 73277b1 PHOENIX-5905 Reset user to hbase by changing rpc context
before getting user permissions on access controller
service-addendum(Rajeshbabu),PHOENIX-5700 PhoenixAccessController does not copy
permissions from custom AccessControllers,PHOENIX-5908 Add test cases to verify
Phoenix Access Controller with Custom Access Controller Service
73277b1 is described below
commit 73277b153e80ab0b187055ac8bf82e24f3baa770
Author: Rajeshbabu Chintaguntla <[email protected]>
AuthorDate: Tue Jun 2 21:49:47 2020 +0530
PHOENIX-5905 Reset user to hbase by changing rpc context before getting
user permissions on access controller service-addendum(Rajeshbabu),PHOENIX-5700
PhoenixAccessController does not copy permissions from custom
AccessControllers,PHOENIX-5908 Add test cases to verify Phoenix Access
Controller with Custom Access Controller Service
---
.../apache/phoenix/end2end/BasePermissionsIT.java | 130 ++++++++++++++++-----
...sionNSDisabledWithCustomAccessControllerIT.java | 32 +++++
...ssionNSEnabledWithCustomAccessControllerIT.java | 32 +++++
.../coprocessor/PhoenixAccessController.java | 11 +-
4 files changed, 172 insertions(+), 33 deletions(-)
diff --git
a/phoenix-core/src/it/java/org/apache/phoenix/end2end/BasePermissionsIT.java
b/phoenix-core/src/it/java/org/apache/phoenix/end2end/BasePermissionsIT.java
index f2a6b9d..a211030 100644
--- a/phoenix-core/src/it/java/org/apache/phoenix/end2end/BasePermissionsIT.java
+++ b/phoenix-core/src/it/java/org/apache/phoenix/end2end/BasePermissionsIT.java
@@ -18,34 +18,27 @@ package org.apache.phoenix.end2end;
import com.google.common.base.Joiner;
import com.google.common.base.Throwables;
-
-import java.io.IOException;
-import java.lang.reflect.UndeclaredThrowableException;
-import java.security.PrivilegedExceptionAction;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.Arrays;
-
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Properties;
-import java.util.Set;
-
+import com.google.protobuf.RpcCallback;
+import com.google.protobuf.RpcController;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
+import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.LocalHBaseCluster;
import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.TableName;
+import org.apache.hadoop.hbase.client.ConnectionFactory;
+import org.apache.hadoop.hbase.ipc.CoprocessorRpcUtils;
+import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
+import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlClient;
+import org.apache.hadoop.hbase.security.access.AccessControlUtil;
+import org.apache.hadoop.hbase.security.access.AccessController;
+import org.apache.hadoop.hbase.security.access.GetUserPermissionsRequest;
import org.apache.hadoop.hbase.security.access.Permission;
+import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.phoenix.coprocessor.MetaDataProtocol;
import org.apache.phoenix.jdbc.PhoenixConnection;
import org.apache.phoenix.jdbc.PhoenixDatabaseMetaData;
@@ -55,7 +48,6 @@ import org.apache.phoenix.query.QueryConstants;
import org.apache.phoenix.query.QueryServices;
import org.apache.phoenix.schema.NewerSchemaAlreadyExistsException;
import org.apache.phoenix.schema.TableNotFoundException;
-import org.apache.phoenix.util.MetaDataUtil;
import org.apache.phoenix.util.PhoenixRuntime;
import org.apache.phoenix.util.SchemaUtil;
import org.junit.Before;
@@ -66,7 +58,28 @@ import org.junit.runners.MethodSorters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import static org.junit.Assert.*;
+import java.io.IOException;
+import java.lang.reflect.UndeclaredThrowableException;
+import java.security.PrivilegedExceptionAction;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Properties;
+import java.util.Set;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
@Category(NeedsOwnMiniClusterTest.class)
@FixMethodOrder(MethodSorters.NAME_ASCENDING)
@@ -138,6 +151,10 @@ public abstract class BasePermissionsIT extends BaseTest {
}
static void initCluster(boolean isNamespaceMapped) throws Exception {
+ initCluster(isNamespaceMapped, false);
+ }
+
+ static void initCluster(boolean isNamespaceMapped, boolean
useCustomAccessController) throws Exception {
if (null != testUtil) {
testUtil.shutdownMiniCluster();
testUtil = null;
@@ -146,7 +163,7 @@ public abstract class BasePermissionsIT extends BaseTest {
testUtil = new HBaseTestingUtility();
Configuration config = testUtil.getConfiguration();
- enablePhoenixHBaseAuthorization(config);
+ enablePhoenixHBaseAuthorization(config, useCustomAccessController);
configureNamespacesOnServer(config, isNamespaceMapped);
configureStatsConfigurations(config);
config.setBoolean(LocalHBaseCluster.ASSIGN_RANDOM_PORTS, true);
@@ -186,17 +203,26 @@ public abstract class BasePermissionsIT extends BaseTest {
view2TableName = tableName + "_V2";
}
- private static void enablePhoenixHBaseAuthorization(Configuration config) {
+ private static void enablePhoenixHBaseAuthorization(Configuration config,
+ boolean
useCustomAccessController) {
config.set("hbase.superuser", SUPER_USER + "," + "superUser2");
config.set("hbase.security.authorization", Boolean.TRUE.toString());
config.set("hbase.security.exec.permission.checks",
Boolean.TRUE.toString());
- config.set("hbase.coprocessor.master.classes",
- "org.apache.hadoop.hbase.security.access.AccessController");
- config.set("hbase.coprocessor.region.classes",
- "org.apache.hadoop.hbase.security.access.AccessController");
- config.set("hbase.coprocessor.regionserver.classes",
- "org.apache.hadoop.hbase.security.access.AccessController");
-
+ if(useCustomAccessController) {
+ config.set("hbase.coprocessor.master.classes",
+ CustomAccessController.class.getName());
+ config.set("hbase.coprocessor.region.classes",
+ CustomAccessController.class.getName());
+ config.set("hbase.coprocessor.regionserver.classes",
+ CustomAccessController.class.getName());
+ } else {
+ config.set("hbase.coprocessor.master.classes",
+
"org.apache.hadoop.hbase.security.access.AccessController");
+ config.set("hbase.coprocessor.region.classes",
+
"org.apache.hadoop.hbase.security.access.AccessController");
+ config.set("hbase.coprocessor.regionserver.classes",
+
"org.apache.hadoop.hbase.security.access.AccessController");
+ }
config.set(QueryServices.PHOENIX_ACLS_ENABLED,"true");
config.set("hbase.regionserver.wal.codec",
"org.apache.hadoop.hbase.regionserver.wal.IndexedWALEditCodec");
@@ -1407,4 +1433,50 @@ public abstract class BasePermissionsIT extends BaseTest
{
}
};
}
+
+ public static class CustomAccessController extends AccessController {
+
+ org.apache.hadoop.hbase.client.Connection connection;
+ @Override
+ public void start(CoprocessorEnvironment env) throws IOException {
+ super.start(env);
+ connection =
ConnectionFactory.createConnection(env.getConfiguration());
+ }
+
+ @Override
+ public void getUserPermissions(RpcController controller,
+
AccessControlProtos.GetUserPermissionsRequest request,
+
RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
+ AccessControlProtos.GetUserPermissionsResponse response = null;
+ try {
+ final String userName = request.hasUserName() ?
request.getUserName().toStringUtf8() : null;
+ final String namespace =
+ request.hasNamespaceName() ?
request.getNamespaceName().toStringUtf8() : null;
+ final TableName table =
+ request.hasTableName() ?
ProtobufUtil.toTableName(request.getTableName()) : null;
+ final byte[] cf =
+ request.hasColumnFamily() ?
request.getColumnFamily().toByteArray() : null;
+ final byte[] cq =
+ request.hasColumnQualifier() ?
request.getColumnQualifier().toByteArray() : null;
+ GetUserPermissionsRequest getUserPermissionsRequest = null;
+ if (request.getType() ==
AccessControlProtos.Permission.Type.Table) {
+ getUserPermissionsRequest =
GetUserPermissionsRequest.newBuilder(table).withFamily(cf)
+ .withQualifier(cq).withUserName(userName).build();
+ } else if (request.getType() ==
AccessControlProtos.Permission.Type.Namespace) {
+ getUserPermissionsRequest =
+
GetUserPermissionsRequest.newBuilder(namespace).withUserName(userName).build();
+ } else {
+ getUserPermissionsRequest =
+
GetUserPermissionsRequest.newBuilder().withUserName(userName).build();
+ }
+ List<UserPermission> perms =
+
connection.getAdmin().getUserPermissions(getUserPermissionsRequest);
+ response =
AccessControlUtil.buildGetUserPermissionsResponse(perms);
+ } catch (IOException e) {
+ // pass exception back up
+ CoprocessorRpcUtils.setControllerException(controller, e);
+ }
+ done.run(response);
+ }
+ }
}
diff --git
a/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSDisabledWithCustomAccessControllerIT.java
b/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSDisabledWithCustomAccessControllerIT.java
new file mode 100644
index 0000000..434a2b1
--- /dev/null
+++
b/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSDisabledWithCustomAccessControllerIT.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.phoenix.end2end;
+
+import org.junit.BeforeClass;
+
+public class PermissionNSDisabledWithCustomAccessControllerIT extends
PermissionNSDisabledIT{
+ public PermissionNSDisabledWithCustomAccessControllerIT() throws Exception
{
+ super();
+ }
+
+ @BeforeClass
+ public static synchronized void doSetup() throws Exception {
+ BasePermissionsIT.initCluster(false, true);
+ }
+
+}
diff --git
a/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledWithCustomAccessControllerIT.java
b/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledWithCustomAccessControllerIT.java
new file mode 100644
index 0000000..77ce073
--- /dev/null
+++
b/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledWithCustomAccessControllerIT.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.phoenix.end2end;
+
+import org.junit.BeforeClass;
+
+public class PermissionNSEnabledWithCustomAccessControllerIT extends
PermissionNSEnabledIT{
+ public PermissionNSEnabledWithCustomAccessControllerIT() throws Exception {
+ super();
+ }
+
+ @BeforeClass
+ public static synchronized void doSetup() throws Exception {
+ BasePermissionsIT.initCluster(true, true);
+ }
+
+}
diff --git
a/phoenix-core/src/main/java/org/apache/phoenix/coprocessor/PhoenixAccessController.java
b/phoenix-core/src/main/java/org/apache/phoenix/coprocessor/PhoenixAccessController.java
index 2754e84..8acc42f 100644
---
a/phoenix-core/src/main/java/org/apache/phoenix/coprocessor/PhoenixAccessController.java
+++
b/phoenix-core/src/main/java/org/apache/phoenix/coprocessor/PhoenixAccessController.java
@@ -503,16 +503,16 @@ public class PhoenixAccessController extends
BaseMetaDataEndpointObserver {
return userPermissions;
}
- //FIXME This seems to have no effect at all
private void getUserDefinedPermissions(final TableName tableName,
final List<UserPermission> userPermissions) throws IOException {
User.runAsLoginUser(new
PrivilegedExceptionAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() throws Exception {
- //FIXME We are masking the parameter list that we are
supposed to add to
- final List<UserPermission> userPermissions = new
ArrayList<UserPermission>();
- try (Connection connection =
+ final RpcCall rpcContext = RpcUtil.getRpcContext();
+ try (Connection connection =
ConnectionFactory.createConnection(((CoprocessorEnvironment)
env).getConfiguration())) {
+ // Setting RPC context as null so that user can be
resetted
+ RpcUtil.setRpcContext(null);
for (MasterObserver service : getAccessControllers()) {
if (service.getClass().getName().equals(
org.apache.hadoop.hbase.security.access.AccessController.class
@@ -530,6 +530,9 @@ public class PhoenixAccessController extends
BaseMetaDataEndpointObserver {
throw (Error) e;
}
throw new Exception(e);
+ } finally {
+ // Setting RPC context back to original context of the
RPC
+ RpcUtil.setRpcContext(rpcContext);
}
return userPermissions;
}
