HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das)
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/435530b4 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/435530b4 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/435530b4 Branch: refs/heads/branch-1 Commit: 435530b4d60751655ba459693da75c73f872d15f Parents: 49e2741 Author: Andrew Purtell <apurt...@apache.org> Authored: Sun Sep 14 20:29:22 2014 -0700 Committer: Andrew Purtell <apurt...@apache.org> Committed: Sun Sep 14 20:29:22 2014 -0700 ---------------------------------------------------------------------- .../org/apache/hadoop/hbase/security/User.java | 19 +++++++++++++++++++ .../hbase/security/access/AccessController.java | 17 +++++++++++++---- 2 files changed, 32 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/435530b4/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java ---------------------------------------------------------------------- diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java index 5abff9d..fd12e47 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java @@ -165,6 +165,25 @@ public abstract class User { } /** + * Executes the given action as the login user + * @param action + * @return + * @throws IOException + * @throws InterruptedException + */ + @SuppressWarnings({ "rawtypes", "unchecked" }) + public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException { + try { + Class c = Class.forName("org.apache.hadoop.security.SecurityUtil"); + Class [] types = new Class[]{PrivilegedExceptionAction.class}; + Object[] args = new Object[]{action}; + return (T) Methods.call(c, null, "doAsLoginUser", types, args); + } catch (Throwable e) { + throw new IOException(e); + } + } + + /** * Wraps an underlying {@code UserGroupInformation} instance. * @param ugi The base Hadoop user * @return User http://git-wip-us.apache.org/repos/asf/hbase/blob/435530b4/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index d0fe19d..2e23860 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -16,6 +16,7 @@ package org.apache.hadoop.hbase.security.access; import java.io.IOException; import java.net.InetAddress; +import java.security.PrivilegedExceptionAction; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -880,7 +881,7 @@ public class AccessController extends BaseMasterAndRegionObserver } @Override - public void postCreateTableHandler(ObserverContext<MasterCoprocessorEnvironment> c, + public void postCreateTableHandler(final ObserverContext<MasterCoprocessorEnvironment> c, HTableDescriptor desc, HRegionInfo[] regions) throws IOException { // When AC is used, it should be configured as the 1st CP. // In Master, the table operations like create, are handled by a Thread pool but the max size @@ -909,9 +910,17 @@ public class AccessController extends BaseMasterAndRegionObserver // default the table owner to current user, if not specified. if (owner == null) owner = getActiveUser().getShortName(); - UserPermission userperm = new UserPermission(Bytes.toBytes(owner), desc.getTableName(), - null, Action.values()); - AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), userperm); + final UserPermission userperm = new UserPermission(Bytes.toBytes(owner), + desc.getTableName(), null, Action.values()); + // switch to the real hbase master user for doing the RPC on the ACL table + User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { + @Override + public Void run() throws Exception { + AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), + userperm); + return null; + } + }); } } }