[
https://issues.apache.org/jira/browse/HBASE-16773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15555615#comment-15555615
]
Ted Yu commented on HBASE-16773:
--------------------------------
Currently investigating why TestAccessController#testGrantRevoke fails in
branch-1 with:
{code}
2016-10-07 09:36:24,767 DEBUG
[RpcServer.FifoWFPBQ.priority.handler=7,queue=1,port=55271]
ipc.CallRunner(126): RpcServer.FifoWFPBQ.priority.handler=7,queue=1,port=55271:
callId: 1 service: ClientService methodName: ExecService size: 182
connection: 10.22.9.171:55394
java.io.IOException: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions (user=owner, scope=hbase:acl, family=l:rouser,f1,
params=[table=hbase:acl,family=l: rouser,f1],action=WRITE)
at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:212)
at
org.apache.hadoop.hbase.security.access.AccessController.revoke(AccessController.java:2308)
at
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.revoke(AccessControlProtos.java:9941)
at
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10102)
at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8083)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2044)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2026)
at
org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:34954)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2277)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:123)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:189)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:169)
Caused by: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions (user=owner, scope=hbase:acl, family=l:rouser,f1,
params=[table=hbase:acl,family=l:rouser,f1], action=WRITE)
at
org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1726)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:975)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1674)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1750)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1706)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:971)
at
org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook(HRegion.java:3008)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2972)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2918)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2922)
at
org.apache.hadoop.hbase.regionserver.HRegion.doBatchMutate(HRegion.java:3694)
at org.apache.hadoop.hbase.regionserver.HRegion.delete(HRegion.java:2698)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.mutate(RSRpcServices.java:2364)
at org.apache.hadoop.hbase.client.HTable$4.call(HTable.java:994)
at org.apache.hadoop.hbase.client.HTable$4.call(HTable.java:984)
at
org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:137)
at org.apache.hadoop.hbase.client.HTable.delete(HTable.java:1001)
at org.apache.hadoop.hbase.client.HTableWrapper.delete(HTableWrapper.java:157)
at
org.apache.hadoop.hbase.security.access.AccessControlLists.removeUserPermission(AccessControlLists.java:204)
at
org.apache.hadoop.hbase.security.access.AccessController$9.run(AccessController.java:2311)
at
org.apache.hadoop.hbase.security.access.AccessController$9.run(AccessController.java:2308)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1614)
at org.apache.hadoop.security.SecurityUtil.doAsUser(SecurityUtil.java:444)
at
org.apache.hadoop.security.SecurityUtil.doAsLoginUser(SecurityUtil.java:425)
at sun.reflect.GeneratedMethodAccessor51.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.hbase.util.Methods.call(Methods.java:39)
at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:210)
{code}
> AccessController should access local region if possible
> -------------------------------------------------------
>
> Key: HBASE-16773
> URL: https://issues.apache.org/jira/browse/HBASE-16773
> Project: HBase
> Issue Type: Improvement
> Reporter: Ted Yu
> Assignee: Ted Yu
> Attachments: 16773.branch-1.txt, 16773.v2.txt, 16773.v3.txt,
> 16773.v4.txt, 16773.v5.txt, 16773.v6.txt, 16773.v7.txt
>
>
> We observed the following in the stack trace of region server on a 1.1.2
> cluster:
> {code}
> "PriorityRpcServer.handler=19,queue=1,port=60200" #225 daemon prio=5
> os_prio=0 tid=0x00007fb562296000 nid=0x81c0 runnable [0x00007fb509a27000]
> java.lang.Thread.State: RUNNABLE
> at sun.nio.ch.EPollArrayWrapper.epollWait(Native Method)
> at sun.nio.ch.EPollArrayWrapper.poll(EPollArrayWrapper.java:269)
> at sun.nio.ch.EPollSelectorImpl.doSelect(EPollSelectorImpl.java:93)
> at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:86)
> - locked <0x00000003d4dfd770> (a sun.nio.ch.Util$2)
> - locked <0x00000003d4dfd760> (a java.util.Collections$UnmodifiableSet)
> - locked <0x00000003d4dfd648> (a sun.nio.ch.EPollSelectorImpl)
> at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:97)
> at
> org.apache.hadoop.net.SocketIOWithTimeout$SelectorPool.select(SocketIOWithTimeout.java:335)
> at
> org.apache.hadoop.net.SocketIOWithTimeout.doIO(SocketIOWithTimeout.java:157)
> at org.apache.hadoop.net.SocketInputStream.read(SocketInputStream.java:161)
> at org.apache.hadoop.net.SocketInputStream.read(SocketInputStream.java:131)
> at java.io.FilterInputStream.read(FilterInputStream.java:133)
> at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
> at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
> - locked <0x00000003d7dae180> (a java.io.BufferedInputStream)
> at java.io.DataInputStream.readInt(DataInputStream.java:387)
> at
> org.apache.hadoop.hbase.security.HBaseSaslRpcClient.readStatus(HBaseSaslRpcClient.java:151)
> at
> org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:189)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:611)
> - locked <0x00000003d5c7edc0> (a
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$600(RpcClientImpl.java:156)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:737)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:734)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
> - locked <0x00000003d5c7edc0> (a
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.writeRequest(RpcClientImpl.java:887)
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.tracedWriteRequest(RpcClientImpl.java:856)
> at org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1199)
> at
> org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:213)
> at
> org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:287)
> at
> org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingStub.get(ClientProtos.java:32627)
> at org.apache.hadoop.hbase.client.HTable$3.call(HTable.java:854)
> at org.apache.hadoop.hbase.client.HTable$3.call(HTable.java:845)
> at
> org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:126)
> at org.apache.hadoop.hbase.client.HTable.get(HTable.java:862)
> at org.apache.hadoop.hbase.client.HTable.get(HTable.java:828)
> at
> org.apache.hadoop.hbase.security.access.AccessControlLists.getPermissions(AccessControlLists.java:461)
> at
> org.apache.hadoop.hbase.security.access.AccessController.updateACL(AccessController.java:260)
> at
> org.apache.hadoop.hbase.security.access.AccessController.postPut(AccessController.java:1661)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$32.call(RegionCoprocessorHost.java:940)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.postPut(RegionCoprocessorHost.java:936)
> at
> org.apache.hadoop.hbase.regionserver.HRegion.doMiniBatchMutation(HRegion.java:3287)
> at
> org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2902)
> at
> org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2844)
> {code}
> There were 20 threads stuck in the retrieval of permissions.
> AccessController shouldn't use Connection if getPermissions() can be
> satisfied by accessing local hbase:acl region.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
