Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.94.1, 0.95.0
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      HBASE-3025 introduced simple ACLs based on coprocessors. It defines global/table/cf/cq level permissions. However, there is no way to grant/revoke global level permissions, other than the hbase.superuser conf setting.

      1. HBASE-5342-draft.patch
        47 kB
        Matteo Bertozzi
      2. HBASE-5342-v0.patch
        54 kB
        Matteo Bertozzi
      3. HBASE-5342-v1.patch
        62 kB
        Matteo Bertozzi
      4. HBASE-5342-v2.patch
        67 kB
        Matteo Bertozzi
      5. HBASE-5342-v3.patch
        68 kB
        Matteo Bertozzi
      6. HBASE-5342-v4.patch
        65 kB
        Matteo Bertozzi
      7. HBASE-5342-v5.patch
        65 kB
        Matteo Bertozzi
      8. HBASE-5342-0.92.patch
        61 kB
        Matteo Bertozzi
      9. HBASE-5342-0.94.patch
        62 kB
        Matteo Bertozzi

        Activity

        Hide
        Gary Helmling added a comment -

        Some of the building blocks for this are already in place. It shouldn't be too difficult to fill in the missing pieces. Would be great to see this completed.

        Show
        Gary Helmling added a comment - Some of the building blocks for this are already in place. It shouldn't be too difficult to fill in the missing pieces. Would be great to see this completed.
        Hide
        Enis Soztutar added a comment -

        I'll work on this once I find some time.

        Show
        Enis Soztutar added a comment - I'll work on this once I find some time.
        Hide
        Matteo Bertozzi added a comment -

        @Enis are you planning to release something soon?
        otherwise I can work on that. Do you have already a draft/notes or can I start from scratch?

        Show
        Matteo Bertozzi added a comment - @Enis are you planning to release something soon? otherwise I can work on that. Do you have already a draft/notes or can I start from scratch?
        Hide
        Enis Soztutar added a comment -

        @Matteo, I do not plan to work on this in the near future, feel free to take a shot. As Gary mentioned, there is already the infrastructure to manage and distribute ACL changes to region servers. I think for this, we should just reuse those. For the hbase shell, we just need to make table argument optional, and change the AccessControlProtocol.grant()/revoke() methods to accept Permission objects rather than TablePermission objects.

        Show
        Enis Soztutar added a comment - @Matteo, I do not plan to work on this in the near future, feel free to take a shot. As Gary mentioned, there is already the infrastructure to manage and distribute ACL changes to region servers. I think for this, we should just reuse those. For the hbase shell, we just need to make table argument optional, and change the AccessControlProtocol.grant()/revoke() methods to accept Permission objects rather than TablePermission objects.
        Hide
        Matteo Bertozzi added a comment -

        I've attached a first draft, if someone want start to reviewing it.
        I still have to add and fix unit tests, and add some comments in hbase shell and some other parts of the code.
        Another part that is missing is HBASE-5385 that I'm going to implement once this is done.
        but any feedback is apreciated.

        Show
        Matteo Bertozzi added a comment - I've attached a first draft, if someone want start to reviewing it. I still have to add and fix unit tests, and add some comments in hbase shell and some other parts of the code. Another part that is missing is HBASE-5385 that I'm going to implement once this is done. but any feedback is apreciated.
        Hide
        Ted Yu added a comment -

        I got the following when applying the draft patch:

        
        2 out of 9 hunks FAILED -- saving rejects to file security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java.rej
        
        +  private void updateGlobalCache(ListMultimap<String,TablePermission> userPerms) {
        

        I would expect Permission in the method signature above. Can the following method be changed to return ListMultimap<String, Permission> ?

               ListMultimap<String,TablePermission> perms = AccessControlLists.readPermissions(in, conf);
        
        -    Set<String> tableSet = new HashSet<String>();
        +    Set<byte[]> tableSet = new HashSet<byte[]>();
        

        HashSet is backed by HashMap: see line 93 of http://www.docjar.com/html/api/java/util/HashSet.java.html
        I think a proper comparator should be used above.

        +   * Returns true if this permission describe a user global permission.
        

        Should read 'describes a global user permission'

        +          raise(ArgumentError, "Can't find a family: #{family}") unless htd.hasFamily(family.to_java_bytes)
        

        Line exceeds 100 chars. Remove the 'a' before 'family' or replace it with 'the'.

        +        user_permission = org.apache.hadoop.hbase.security.access.UserPermission.new(user.to_java_bytes, table_name.to_java_bytes, fambytes, qualbytes, "".to_java_bytes)
        

        Above line is too long. Length should be no longer than 100 chars. Same with the assignment in the else block below.

        Show
        Ted Yu added a comment - I got the following when applying the draft patch:  2 out of 9 hunks FAILED -- saving rejects to file security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java.rej + private void updateGlobalCache(ListMultimap< String ,TablePermission> userPerms) { I would expect Permission in the method signature above. Can the following method be changed to return ListMultimap<String, Permission> ? ListMultimap< String ,TablePermission> perms = AccessControlLists.readPermissions(in, conf); - Set< String > tableSet = new HashSet< String >(); + Set< byte []> tableSet = new HashSet< byte []>(); HashSet is backed by HashMap: see line 93 of http://www.docjar.com/html/api/java/util/HashSet.java.html I think a proper comparator should be used above. + * Returns true if this permission describe a user global permission. Should read 'describes a global user permission' + raise(ArgumentError, "Can't find a family: #{family}" ) unless htd.hasFamily(family.to_java_bytes) Line exceeds 100 chars. Remove the 'a' before 'family' or replace it with 'the'. + user_permission = org.apache.hadoop.hbase.security.access.UserPermission. new (user.to_java_bytes, table_name.to_java_bytes, fambytes, qualbytes, "".to_java_bytes) Above line is too long. Length should be no longer than 100 chars. Same with the assignment in the else block below.
        Hide
        Matteo Bertozzi added a comment -

        @Zhihong sorry I forgot to say that I'm coding it against 0.92, since is a bit more stable/testable than trunk. But the patch should apply fine to 0.94 too. I'll port it to trunk once is done.

        Show
        Matteo Bertozzi added a comment - @Zhihong sorry I forgot to say that I'm coding it against 0.92, since is a bit more stable/testable than trunk. But the patch should apply fine to 0.94 too. I'll port it to trunk once is done.
        Hide
        Matteo Bertozzi added a comment -

        The only difference between 0.92/0.94 and trunk is this commit:
        https://github.com/apache/hbase/commit/19167af652aeb14979146c7bf312cf5925717190

        So if we backport in 0.92/0.94 the posted patch apply without problem.

        +  private void updateGlobalCache(ListMultimap<String,TablePermission> userPerms) {
        

        I would expect Permission in the method signature above. Can the following method be changed to return ListMultimap<String, Permission> ?

        ...I know, but I've tried to stay as close as possible with the current implementation. The global permission is just the same as permission on acl table.

        Maybe we can open a new jira to refactor Permission/TablePermission/UserPermission.

        Show
        Matteo Bertozzi added a comment - The only difference between 0.92/0.94 and trunk is this commit: https://github.com/apache/hbase/commit/19167af652aeb14979146c7bf312cf5925717190 So if we backport in 0.92/0.94 the posted patch apply without problem. + private void updateGlobalCache(ListMultimap< String ,TablePermission> userPerms) { I would expect Permission in the method signature above. Can the following method be changed to return ListMultimap<String, Permission> ? ...I know, but I've tried to stay as close as possible with the current implementation. The global permission is just the same as permission on acl table. Maybe we can open a new jira to refactor Permission/TablePermission/UserPermission.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12525012/HBASE-5342-v0.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 9 new or modified tests.

        +1 hadoop23. The patch compiles against the hadoop 0.23.x profile.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        -1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests:
        org.apache.hadoop.hbase.replication.TestReplication
        org.apache.hadoop.hbase.client.TestShell
        org.apache.hadoop.hbase.master.TestAssignmentManager

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1683//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1683//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1683//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12525012/HBASE-5342-v0.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 9 new or modified tests. +1 hadoop23. The patch compiles against the hadoop 0.23.x profile. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. -1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.hbase.replication.TestReplication org.apache.hadoop.hbase.client.TestShell org.apache.hadoop.hbase.master.TestAssignmentManager Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1683//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1683//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1683//console This message is automatically generated.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12525020/HBASE-5342-v0.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 9 new or modified tests.

        +1 hadoop23. The patch compiles against the hadoop 0.23.x profile.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        -1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in .

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1685//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1685//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1685//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12525020/HBASE-5342-v0.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 9 new or modified tests. +1 hadoop23. The patch compiles against the hadoop 0.23.x profile. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. -1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1685//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1685//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1685//console This message is automatically generated.
        Hide
        Ted Yu added a comment -

        @Matteo:
        Can you run the new patch for security profile and let us know the result ?

        Thanks

        Show
        Ted Yu added a comment - @Matteo: Can you run the new patch for security profile and let us know the result ? Thanks
        Hide
        Matteo Bertozzi added a comment -
        Running org.apache.hadoop.hbase.security.TestUser
        Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.955 sec
        
        Results :
        Tests run: 3, Failures: 0, Errors: 0, Skipped: 0
        
        Running org.apache.hadoop.hbase.security.access.TestZKPermissionsWatcher
        Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 17.958 sec
        Running org.apache.hadoop.hbase.security.access.TestAccessControlFilter
        Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 19.599 sec
        Running org.apache.hadoop.hbase.security.access.TestAccessController
        Tests run: 21, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 34.862 sec
        Running org.apache.hadoop.hbase.security.access.TestTablePermissions
        Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 30.704 sec
        
        Results :
        Tests run: 28, Failures: 0, Errors: 0, Skipped: 0
        
        Running org.apache.hadoop.hbase.security.token.TestTokenAuthentication
        Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 12.026 sec
        Running org.apache.hadoop.hbase.security.token.TestZKSecretWatcher
        Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 15.995 sec
        
        Results :
        Tests run: 2, Failures: 0, Errors: 0, Skipped: 0
        
        Show
        Matteo Bertozzi added a comment - Running org.apache.hadoop.hbase.security.TestUser Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.955 sec Results : Tests run: 3, Failures: 0, Errors: 0, Skipped: 0 Running org.apache.hadoop.hbase.security.access.TestZKPermissionsWatcher Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 17.958 sec Running org.apache.hadoop.hbase.security.access.TestAccessControlFilter Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 19.599 sec Running org.apache.hadoop.hbase.security.access.TestAccessController Tests run: 21, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 34.862 sec Running org.apache.hadoop.hbase.security.access.TestTablePermissions Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 30.704 sec Results : Tests run: 28, Failures: 0, Errors: 0, Skipped: 0 Running org.apache.hadoop.hbase.security.token.TestTokenAuthentication Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 12.026 sec Running org.apache.hadoop.hbase.security.token.TestZKSecretWatcher Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 15.995 sec Results : Tests run: 2, Failures: 0, Errors: 0, Skipped: 0
        Hide
        Andrew Purtell added a comment -

        The AccessControllerProtocol change is not backwards compatible. You should deprecate

        public void grant(byte[] user, TablePermission permission)
        

        and

        public void revoke(byte[] user, TablePermission permission)
        

        in 0.92 (and 0.94 if it's released already) and take them out in the next major rev after.

        The new 'whoami' command for the shell is nice.

        I also see some noise/whitespace refactoring around debug logging. That kind of change is a little annoying, it distracts from the logic changes. Just a suggestion for future changes.

        Show
        Andrew Purtell added a comment - The AccessControllerProtocol change is not backwards compatible. You should deprecate public void grant( byte [] user, TablePermission permission) and public void revoke( byte [] user, TablePermission permission) in 0.92 (and 0.94 if it's released already) and take them out in the next major rev after. The new 'whoami' command for the shell is nice. I also see some noise/whitespace refactoring around debug logging. That kind of change is a little annoying, it distracts from the logic changes. Just a suggestion for future changes.
        Hide
        Matteo Bertozzi added a comment -

        Don't remove the grant/revoke with user and TablePermission, mark as deprecated and convert to UserPermission.

        Add pre/postHandler() to avoid compilation failure introduced with HBASE-5584.

        Show
        Matteo Bertozzi added a comment - Don't remove the grant/revoke with user and TablePermission, mark as deprecated and convert to UserPermission. Add pre/postHandler() to avoid compilation failure introduced with HBASE-5584 .
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12525773/HBASE-5342-v1.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 9 new or modified tests.

        -1 patch. The patch command could not apply the patch.

        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1783//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12525773/HBASE-5342-v1.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 9 new or modified tests. -1 patch. The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1783//console This message is automatically generated.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12525774/HBASE-5342-v1.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 9 new or modified tests.

        +1 hadoop23. The patch compiles against the hadoop 0.23.x profile.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests:
        org.apache.hadoop.hbase.regionserver.wal.TestLogRollingNoCluster

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1784//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1784//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1784//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12525774/HBASE-5342-v1.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 9 new or modified tests. +1 hadoop23. The patch compiles against the hadoop 0.23.x profile. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.hbase.regionserver.wal.TestLogRollingNoCluster Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1784//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1784//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1784//console This message is automatically generated.
        Hide
        Matteo Bertozzi added a comment -

        Make the patch compile again, after HBASE-5584 AccessController build fix

        Show
        Matteo Bertozzi added a comment - Make the patch compile again, after HBASE-5584 AccessController build fix
        Hide
        Andrew Purtell added a comment -

        @Matteo,

        To maintain compatibility in HBase aka Hadoop RPC as it currently works, you must insure:

        • The new methods must be placed after all others in the interface. If the order of existing methods in the interface changes, it won't work.
        • Do not change VERSION in VersionedProtocols (which CoprocessorProtocol inherits from). This doesn't allow backwards compatibility, it tells the client to go away if different. We can use it to fast fail incompatible clients after a deprecation is complete but not during the transition.
        • Then, if the new methods are not available, on the client side you can catch NoSuchMethodException from the remote and use an alternate API strategy.

        As you can imagine, it is a great thing we are migrating all of our RPC protocols to protobufs for 0.96+, it has a cross-version story that avoids kludges like the above. Unfortunately, the above is currently necessary.

        Show
        Andrew Purtell added a comment - @Matteo, To maintain compatibility in HBase aka Hadoop RPC as it currently works, you must insure: The new methods must be placed after all others in the interface. If the order of existing methods in the interface changes, it won't work. Do not change VERSION in VersionedProtocols (which CoprocessorProtocol inherits from). This doesn't allow backwards compatibility, it tells the client to go away if different. We can use it to fast fail incompatible clients after a deprecation is complete but not during the transition. Then, if the new methods are not available, on the client side you can catch NoSuchMethodException from the remote and use an alternate API strategy. As you can imagine, it is a great thing we are migrating all of our RPC protocols to protobufs for 0.96+, it has a cross-version story that avoids kludges like the above. Unfortunately, the above is currently necessary.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12526007/HBASE-5342-v2.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 9 new or modified tests.

        +1 hadoop23. The patch compiles against the hadoop 0.23.x profile.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests:

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1797//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1797//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1797//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12526007/HBASE-5342-v2.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 9 new or modified tests. +1 hadoop23. The patch compiles against the hadoop 0.23.x profile. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1797//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1797//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1797//console This message is automatically generated.
        Hide
        Jonathan Hsieh added a comment -

        Andrew: I don't think the order matters anymore – I checked this when I added the offline method to 0.90. Rpcs actually send their names across the wire!

        See here on HBASE-5589.
        https://issues.apache.org/jira/browse/HBASE-5589?focusedCommentId=13233923&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13233923

        Show
        Jonathan Hsieh added a comment - Andrew: I don't think the order matters anymore – I checked this when I added the offline method to 0.90. Rpcs actually send their names across the wire! See here on HBASE-5589 . https://issues.apache.org/jira/browse/HBASE-5589?focusedCommentId=13233923&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13233923
        Hide
        Andrew Purtell added a comment -

        @Jon: Noted, thanks for the clarification!

        Show
        Andrew Purtell added a comment - @Jon: Noted, thanks for the clarification!
        Hide
        Matteo Bertozzi added a comment -

        Keep the old protocol version
        mark "old" grant/revoke as deprecated
        catch if server doesn't support new grant/revoke with global and fallback to the old method if necessary.

        Show
        Matteo Bertozzi added a comment - Keep the old protocol version mark "old" grant/revoke as deprecated catch if server doesn't support new grant/revoke with global and fallback to the old method if necessary.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12526440/HBASE-5342-v3.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 9 new or modified tests.

        +1 hadoop23. The patch compiles against the hadoop 0.23.x profile.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests:
        org.apache.hadoop.hbase.TestRegionRebalancing
        org.apache.hadoop.hbase.TestDrainingServer
        org.apache.hadoop.hbase.coprocessor.TestClassLoading

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1841//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1841//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1841//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12526440/HBASE-5342-v3.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 9 new or modified tests. +1 hadoop23. The patch compiles against the hadoop 0.23.x profile. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.hbase.TestRegionRebalancing org.apache.hadoop.hbase.TestDrainingServer org.apache.hadoop.hbase.coprocessor.TestClassLoading Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1841//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1841//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1841//console This message is automatically generated.
        Hide
        Ted Yu added a comment -

        For getTablePermissions():

             if (Bytes.equals(tableName, HConstants.ROOT_TABLE_NAME) ||
        -        Bytes.equals(tableName, HConstants.META_TABLE_NAME) ||
        -        Bytes.equals(tableName, AccessControlLists.ACL_TABLE_NAME)) {
        +        Bytes.equals(tableName, HConstants.META_TABLE_NAME)) {
        

        Why is ACL_TABLE_NAME removed from the condition above ?

        Show
        Ted Yu added a comment - For getTablePermissions(): if (Bytes.equals(tableName, HConstants.ROOT_TABLE_NAME) || - Bytes.equals(tableName, HConstants.META_TABLE_NAME) || - Bytes.equals(tableName, AccessControlLists.ACL_TABLE_NAME)) { + Bytes.equals(tableName, HConstants.META_TABLE_NAME)) { Why is ACL_TABLE_NAME removed from the condition above ?
        Hide
        Matteo Bertozzi added a comment -

        getTablePermissions() returns the permission for the specified table is used by AccessController.updateAcl() to write to zookeeper nodes the table permissions.
        We can skip root & meta because they are handled as a special case, mostly in AccessController.permissionGranted(), while the acl table is used to store the global permissions. So instead of return an empty listMap we return the global permissions.

        Show
        Matteo Bertozzi added a comment - getTablePermissions() returns the permission for the specified table is used by AccessController.updateAcl() to write to zookeeper nodes the table permissions. We can skip root & meta because they are handled as a special case, mostly in AccessController.permissionGranted(), while the acl table is used to store the global permissions. So instead of return an empty listMap we return the global permissions.
        Hide
        Ted Yu added a comment -

        Nice work.

        Why is TreeSet needed below ?

        -    Set<String> tableSet = new HashSet<String>();
        +    Set<byte[]> tableSet = new TreeSet<byte[]>(Bytes.BYTES_COMPARATOR);
        
        +    // Users with CREATE/ADMIN Rights needs to modify .META. and _acl_ table
        

        'needs to' -> 'need to'

        +    // e.g. new table writes in .META. remove table writes in .META. and _acl_.
        

        Please rewrite the above so that it is clearer.

        +       return AuthResult.allow("Table permission granted", user, permRequest, tableName); 
        

        Minor: there is a white space at the end of above line - I found it on review board.

        +   * Returns true if this permission describes a user global permission.
        

        'user global' -> 'global user'

        For whoami.rb, it contains the same contents 4 times. Please remove 3 of them.

        Show
        Ted Yu added a comment - Nice work. Why is TreeSet needed below ? - Set< String > tableSet = new HashSet< String >(); + Set< byte []> tableSet = new TreeSet< byte []>(Bytes.BYTES_COMPARATOR); + // Users with CREATE/ADMIN Rights needs to modify .META. and _acl_ table 'needs to' -> 'need to' + // e.g. new table writes in .META. remove table writes in .META. and _acl_. Please rewrite the above so that it is clearer. + return AuthResult.allow( "Table permission granted" , user, permRequest, tableName); Minor: there is a white space at the end of above line - I found it on review board. + * Returns true if this permission describes a user global permission. 'user global' -> 'global user' For whoami.rb, it contains the same contents 4 times. Please remove 3 of them.
        Hide
        Matteo Bertozzi added a comment -

        @Zhihong Yu thanks for the review

        Why is TreeSet needed below ?

        I've changed from String to byte[] and so I've switched to TreeMap, anyway there're no much entry

        Show
        Matteo Bertozzi added a comment - @Zhihong Yu thanks for the review Why is TreeSet needed below ? I've changed from String to byte[] and so I've switched to TreeMap, anyway there're no much entry
        Hide
        Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12526549/HBASE-5342-v4.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 9 new or modified tests.

        +1 hadoop23. The patch compiles against the hadoop 0.23.x profile.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in .

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1849//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1849//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1849//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12526549/HBASE-5342-v4.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 9 new or modified tests. +1 hadoop23. The patch compiles against the hadoop 0.23.x profile. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1849//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1849//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1849//console This message is automatically generated.
        Hide
        Ted Yu added a comment -

        @Matteo:
        Looks like HBASE-5732 went in

        Do you mind rebasing your patch ?

        Show
        Ted Yu added a comment - @Matteo: Looks like HBASE-5732 went in Do you mind rebasing your patch ?
        Hide
        Matteo Bertozzi added a comment -

        patch rebased, HBASE-5732 went in.

        Show
        Matteo Bertozzi added a comment - patch rebased, HBASE-5732 went in.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12526614/HBASE-5342-v5.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 9 new or modified tests.

        +1 hadoop23. The patch compiles against the hadoop 0.23.x profile.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        -1 findbugs. The patch appears to introduce 31 new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests:
        org.apache.hadoop.hbase.TestDrainingServer

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1857//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1857//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1857//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12526614/HBASE-5342-v5.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 9 new or modified tests. +1 hadoop23. The patch compiles against the hadoop 0.23.x profile. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. -1 findbugs. The patch appears to introduce 31 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.hbase.TestDrainingServer Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1857//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1857//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1857//console This message is automatically generated.
        Hide
        Ted Yu added a comment -

        Failed test is covered by HBASE-5992.

        Integrated to trunk.

        Thanks for the patch, Matteo.

        Thanks for the review, Andy.

        Show
        Ted Yu added a comment - Failed test is covered by HBASE-5992 . Integrated to trunk. Thanks for the patch, Matteo. Thanks for the review, Andy.
        Hide
        Matteo Bertozzi added a comment -

        Can we backport this to 0.92 and 0.94? the security/access code is the same and this one doesn't break the compatibility.
        I'll attach a patch later for 0.92/0.94.

        Show
        Matteo Bertozzi added a comment - Can we backport this to 0.92 and 0.94? the security/access code is the same and this one doesn't break the compatibility. I'll attach a patch later for 0.92/0.94.
        Hide
        Ted Yu added a comment -

        @Matteo:
        Please run through corresponding test suite before posting backport.

        @Andy, @Lars:
        What do you think of the backport ?

        Show
        Ted Yu added a comment - @Matteo: Please run through corresponding test suite before posting backport. @Andy, @Lars: What do you think of the backport ?
        Hide
        Hudson added a comment -

        Integrated in HBase-TRUNK #2875 (See https://builds.apache.org/job/HBase-TRUNK/2875/)
        HBASE-5342 Grant/Revoke global permissions (Matteo Bertozzi) (Revision 1337499)

        Result = FAILURE
        tedyu :
        Files :

        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java
        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java
        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
        • /hbase/trunk/src/main/ruby/hbase/security.rb
        • /hbase/trunk/src/main/ruby/shell.rb
        • /hbase/trunk/src/main/ruby/shell/commands/grant.rb
        • /hbase/trunk/src/main/ruby/shell/commands/revoke.rb
        • /hbase/trunk/src/main/ruby/shell/commands/user_permission.rb
        • /hbase/trunk/src/main/ruby/shell/commands/whoami.rb
        • /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
        • /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
        • /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
        Show
        Hudson added a comment - Integrated in HBase-TRUNK #2875 (See https://builds.apache.org/job/HBase-TRUNK/2875/ ) HBASE-5342 Grant/Revoke global permissions (Matteo Bertozzi) (Revision 1337499) Result = FAILURE tedyu : Files : /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java /hbase/trunk/src/main/ruby/hbase/security.rb /hbase/trunk/src/main/ruby/shell.rb /hbase/trunk/src/main/ruby/shell/commands/grant.rb /hbase/trunk/src/main/ruby/shell/commands/revoke.rb /hbase/trunk/src/main/ruby/shell/commands/user_permission.rb /hbase/trunk/src/main/ruby/shell/commands/whoami.rb /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
        Hide
        Hudson added a comment -

        Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #2 (See https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/2/)
        HBASE-5342 Grant/Revoke global permissions (Matteo Bertozzi) (Revision 1337499)

        Result = FAILURE
        tedyu :
        Files :

        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java
        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java
        • /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
        • /hbase/trunk/src/main/ruby/hbase/security.rb
        • /hbase/trunk/src/main/ruby/shell.rb
        • /hbase/trunk/src/main/ruby/shell/commands/grant.rb
        • /hbase/trunk/src/main/ruby/shell/commands/revoke.rb
        • /hbase/trunk/src/main/ruby/shell/commands/user_permission.rb
        • /hbase/trunk/src/main/ruby/shell/commands/whoami.rb
        • /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
        • /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
        • /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
        Show
        Hudson added a comment - Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #2 (See https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/2/ ) HBASE-5342 Grant/Revoke global permissions (Matteo Bertozzi) (Revision 1337499) Result = FAILURE tedyu : Files : /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java /hbase/trunk/src/main/ruby/hbase/security.rb /hbase/trunk/src/main/ruby/shell.rb /hbase/trunk/src/main/ruby/shell/commands/grant.rb /hbase/trunk/src/main/ruby/shell/commands/revoke.rb /hbase/trunk/src/main/ruby/shell/commands/user_permission.rb /hbase/trunk/src/main/ruby/shell/commands/whoami.rb /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java /hbase/trunk/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
        Hide
        Matteo Bertozzi added a comment -

        the 0.92/0.94 version

        Show
        Matteo Bertozzi added a comment - the 0.92/0.94 version
        Hide
        Matteo Bertozzi added a comment -
        Running org.apache.hadoop.hbase.security.token.TestTokenAuthentication
        Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 22.058 sec
        Running org.apache.hadoop.hbase.security.token.TestZKSecretWatcher
        Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 15.702 sec
        
        Results :
        
        Tests run: 2, Failures: 0, Errors: 0, Skipped: 0
        
        Running org.apache.hadoop.hbase.security.access.TestZKPermissionsWatcher
        Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 20.706 sec
        Running org.apache.hadoop.hbase.security.access.TestAccessControlFilter
        Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 23.621 sec
        Running org.apache.hadoop.hbase.security.access.TestAccessController
        Tests run: 21, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 37.041 sec
        Running org.apache.hadoop.hbase.security.access.TestTablePermissions
        Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 34.577 sec
        
        Results :
        
        Tests run: 28, Failures: 0, Errors: 0, Skipped: 0
        
        Show
        Matteo Bertozzi added a comment - Running org.apache.hadoop.hbase.security.token.TestTokenAuthentication Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 22.058 sec Running org.apache.hadoop.hbase.security.token.TestZKSecretWatcher Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 15.702 sec Results : Tests run: 2, Failures: 0, Errors: 0, Skipped: 0 Running org.apache.hadoop.hbase.security.access.TestZKPermissionsWatcher Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 20.706 sec Running org.apache.hadoop.hbase.security.access.TestAccessControlFilter Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 23.621 sec Running org.apache.hadoop.hbase.security.access.TestAccessController Tests run: 21, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 37.041 sec Running org.apache.hadoop.hbase.security.access.TestTablePermissions Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 34.577 sec Results : Tests run: 28, Failures: 0, Errors: 0, Skipped: 0
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12526640/HBASE-5342-0.94.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 9 new or modified tests.

        -1 patch. The patch command could not apply the patch.

        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1861//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12526640/HBASE-5342-0.94.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 9 new or modified tests. -1 patch. The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1861//console This message is automatically generated.
        Hide
        Matteo Bertozzi added a comment -

        @Andy, @Lars: Can we backport this to 0.92 and 0.94?

        I've developed it on 0.92, since the code was the same from 0.92 to trunk.
        And since the new functionality doesn't break the compatibility, I think that it is safe to backport. What do you think?

        Show
        Matteo Bertozzi added a comment - @Andy, @Lars: Can we backport this to 0.92 and 0.94? I've developed it on 0.92, since the code was the same from 0.92 to trunk. And since the new functionality doesn't break the compatibility, I think that it is safe to backport. What do you think?
        Hide
        Andrew Purtell added a comment -

        I think that it is safe to backport. What do you think?

        +1, we should keep the AccessController code in sync across trunk, 0.94, and 0.92 until finally there is some incompatible change on trunk; then as close as possible.

        Show
        Andrew Purtell added a comment - I think that it is safe to backport. What do you think? +1, we should keep the AccessController code in sync across trunk, 0.94, and 0.92 until finally there is some incompatible change on trunk; then as close as possible.
        Hide
        Ted Yu added a comment -

        Integrated to 0.92 and 0.94

        Thanks for the patch, Matteo (there was a duplicate copy in whoami.rb of 0.94 patch, I removed the extra one)

        Thanks for the review, Andy.

        Show
        Ted Yu added a comment - Integrated to 0.92 and 0.94 Thanks for the patch, Matteo (there was a duplicate copy in whoami.rb of 0.94 patch, I removed the extra one) Thanks for the review, Andy.
        Hide
        Ted Yu added a comment -

        Targeting 0.92.2

        Show
        Ted Yu added a comment - Targeting 0.92.2
        Hide
        Hudson added a comment -

        Integrated in HBase-0.94 #199 (See https://builds.apache.org/job/HBase-0.94/199/)
        HBASE-5342 Grant/Revoke global permissions (Matteo) (Revision 1339922)

        Result = FAILURE
        tedyu :
        Files :

        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
        • /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
        • /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
        • /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
        • /hbase/branches/0.94/src/main/ruby/hbase/security.rb
        • /hbase/branches/0.94/src/main/ruby/shell.rb
        • /hbase/branches/0.94/src/main/ruby/shell/commands/grant.rb
        • /hbase/branches/0.94/src/main/ruby/shell/commands/revoke.rb
        • /hbase/branches/0.94/src/main/ruby/shell/commands/user_permission.rb
        • /hbase/branches/0.94/src/main/ruby/shell/commands/whoami.rb
        Show
        Hudson added a comment - Integrated in HBase-0.94 #199 (See https://builds.apache.org/job/HBase-0.94/199/ ) HBASE-5342 Grant/Revoke global permissions (Matteo) (Revision 1339922) Result = FAILURE tedyu : Files : /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java /hbase/branches/0.94/src/main/ruby/hbase/security.rb /hbase/branches/0.94/src/main/ruby/shell.rb /hbase/branches/0.94/src/main/ruby/shell/commands/grant.rb /hbase/branches/0.94/src/main/ruby/shell/commands/revoke.rb /hbase/branches/0.94/src/main/ruby/shell/commands/user_permission.rb /hbase/branches/0.94/src/main/ruby/shell/commands/whoami.rb
        Hide
        Hudson added a comment -

        Integrated in HBase-0.92-security #107 (See https://builds.apache.org/job/HBase-0.92-security/107/)
        HBASE-5342 Grant/Revoke global permissions (Matteo) (Revision 1339924)

        Result = FAILURE
        tedyu :
        Files :

        • /hbase/branches/0.92/CHANGES.txt
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
        • /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
        • /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
        • /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
        • /hbase/branches/0.92/src/main/ruby/hbase/security.rb
        • /hbase/branches/0.92/src/main/ruby/shell.rb
        • /hbase/branches/0.92/src/main/ruby/shell/commands/grant.rb
        • /hbase/branches/0.92/src/main/ruby/shell/commands/revoke.rb
        • /hbase/branches/0.92/src/main/ruby/shell/commands/user_permission.rb
        • /hbase/branches/0.92/src/main/ruby/shell/commands/whoami.rb
        Show
        Hudson added a comment - Integrated in HBase-0.92-security #107 (See https://builds.apache.org/job/HBase-0.92-security/107/ ) HBASE-5342 Grant/Revoke global permissions (Matteo) (Revision 1339924) Result = FAILURE tedyu : Files : /hbase/branches/0.92/CHANGES.txt /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java /hbase/branches/0.92/src/main/ruby/hbase/security.rb /hbase/branches/0.92/src/main/ruby/shell.rb /hbase/branches/0.92/src/main/ruby/shell/commands/grant.rb /hbase/branches/0.92/src/main/ruby/shell/commands/revoke.rb /hbase/branches/0.92/src/main/ruby/shell/commands/user_permission.rb /hbase/branches/0.92/src/main/ruby/shell/commands/whoami.rb
        Hide
        Hudson added a comment -

        Integrated in HBase-0.92 #411 (See https://builds.apache.org/job/HBase-0.92/411/)
        HBASE-5342 Grant/Revoke global permissions (Matteo) (Revision 1339924)

        Result = FAILURE
        tedyu :
        Files :

        • /hbase/branches/0.92/CHANGES.txt
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java
        • /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
        • /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
        • /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
        • /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
        • /hbase/branches/0.92/src/main/ruby/hbase/security.rb
        • /hbase/branches/0.92/src/main/ruby/shell.rb
        • /hbase/branches/0.92/src/main/ruby/shell/commands/grant.rb
        • /hbase/branches/0.92/src/main/ruby/shell/commands/revoke.rb
        • /hbase/branches/0.92/src/main/ruby/shell/commands/user_permission.rb
        • /hbase/branches/0.92/src/main/ruby/shell/commands/whoami.rb
        Show
        Hudson added a comment - Integrated in HBase-0.92 #411 (See https://builds.apache.org/job/HBase-0.92/411/ ) HBASE-5342 Grant/Revoke global permissions (Matteo) (Revision 1339924) Result = FAILURE tedyu : Files : /hbase/branches/0.92/CHANGES.txt /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java /hbase/branches/0.92/src/main/ruby/hbase/security.rb /hbase/branches/0.92/src/main/ruby/shell.rb /hbase/branches/0.92/src/main/ruby/shell/commands/grant.rb /hbase/branches/0.92/src/main/ruby/shell/commands/revoke.rb /hbase/branches/0.92/src/main/ruby/shell/commands/user_permission.rb /hbase/branches/0.92/src/main/ruby/shell/commands/whoami.rb
        Hide
        Hudson added a comment -

        Integrated in HBase-0.94-security #27 (See https://builds.apache.org/job/HBase-0.94-security/27/)
        HBASE-5342 Grant/Revoke global permissions (Matteo) (Revision 1339922)

        Result = SUCCESS
        tedyu :
        Files :

        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
        • /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
        • /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
        • /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
        • /hbase/branches/0.94/src/main/ruby/hbase/security.rb
        • /hbase/branches/0.94/src/main/ruby/shell.rb
        • /hbase/branches/0.94/src/main/ruby/shell/commands/grant.rb
        • /hbase/branches/0.94/src/main/ruby/shell/commands/revoke.rb
        • /hbase/branches/0.94/src/main/ruby/shell/commands/user_permission.rb
        • /hbase/branches/0.94/src/main/ruby/shell/commands/whoami.rb
        Show
        Hudson added a comment - Integrated in HBase-0.94-security #27 (See https://builds.apache.org/job/HBase-0.94-security/27/ ) HBASE-5342 Grant/Revoke global permissions (Matteo) (Revision 1339922) Result = SUCCESS tedyu : Files : /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java /hbase/branches/0.94/src/main/ruby/hbase/security.rb /hbase/branches/0.94/src/main/ruby/shell.rb /hbase/branches/0.94/src/main/ruby/shell/commands/grant.rb /hbase/branches/0.94/src/main/ruby/shell/commands/revoke.rb /hbase/branches/0.94/src/main/ruby/shell/commands/user_permission.rb /hbase/branches/0.94/src/main/ruby/shell/commands/whoami.rb

          People

          • Assignee:
            Matteo Bertozzi
            Reporter:
            Enis Soztutar
          • Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development