From c780de0e4f93f6fe3f20efa402ced7f06bccb584 Mon Sep 17 00:00:00 2001 From: stack Date: Fri, 3 Apr 2015 15:37:30 -0700 Subject: [PATCH] HBASE-13397 Purge duplicate rpc request thread local Amending-Author: Andrew Purtell --- .../org/apache/hadoop/hbase/ipc/CallRunner.java | 11 +- .../apache/hadoop/hbase/ipc/RequestContext.java | 153 --------------------- .../apache/hadoop/hbase/ipc/RpcCallContext.java | 22 +++ .../org/apache/hadoop/hbase/ipc/RpcServer.java | 87 +++++++++--- .../org/apache/hadoop/hbase/master/HMaster.java | 4 +- .../hbase/master/handler/CreateTableHandler.java | 7 +- .../hbase/security/access/AccessController.java | 25 ++-- .../security/access/SecureBulkLoadEndpoint.java | 7 +- .../hadoop/hbase/security/token/TokenProvider.java | 5 +- .../security/visibility/VisibilityController.java | 20 +-- .../hbase/security/visibility/VisibilityUtils.java | 6 +- .../apache/hadoop/hbase/ipc/TestCallRunner.java | 3 +- .../security/token/TestTokenAuthentication.java | 5 +- 13 files changed, 122 insertions(+), 233 deletions(-) delete mode 100644 hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RequestContext.java diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/CallRunner.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/CallRunner.java index e45685b..142f005 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/CallRunner.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/CallRunner.java @@ -23,7 +23,6 @@ import org.apache.hadoop.hbase.CellScanner; import org.apache.hadoop.hbase.ipc.RpcServer.Call; import org.apache.hadoop.hbase.monitoring.MonitoredRPCHandler; import org.apache.hadoop.hbase.monitoring.TaskMonitor; -import org.apache.hadoop.hbase.security.UserProvider; import org.apache.hadoop.hbase.util.Pair; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.StringUtils; @@ -42,7 +41,6 @@ public class CallRunner { private Call call; private RpcServerInterface rpcServer; private MonitoredRPCHandler status; - private UserProvider userProvider; /** * On construction, adds the size of this call to the running count of outstanding call sizes. @@ -50,13 +48,12 @@ public class CallRunner { * time we occupy heap. */ // The constructor is shutdown so only RpcServer in this class can make one of these. - CallRunner(final RpcServerInterface rpcServer, final Call call, UserProvider userProvider) { + CallRunner(final RpcServerInterface rpcServer, final Call call) { this.call = call; this.rpcServer = rpcServer; // Add size of the call to queue size. this.rpcServer.addCallSize(call.getSize()); this.status = getStatus(); - this.userProvider = userProvider; } public Call getCall() { @@ -70,7 +67,6 @@ public class CallRunner { this.call = null; this.rpcServer = null; this.status = null; - this.userProvider = null; } public void run() { @@ -101,8 +97,6 @@ public class CallRunner { if (call.tinfo != null) { traceScope = Trace.startSpan(call.toTraceString(), call.tinfo); } - RequestContext.set(userProvider.create(call.connection.user), RpcServer.getRemoteIp(), - call.connection.service); // make the call resultPair = this.rpcServer.call(call.service, call.md, call.param, call.cellScanner, call.timestamp, this.status); @@ -117,9 +111,6 @@ public class CallRunner { if (traceScope != null) { traceScope.close(); } - // Must always clear the request context to avoid leaking - // credentials between requests. - RequestContext.clear(); } RpcServer.CurCall.set(null); // Set the response for undelayed calls and delayed calls with diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RequestContext.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RequestContext.java deleted file mode 100644 index 45fd6c5..0000000 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RequestContext.java +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright The Apache Software Foundation - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.hadoop.hbase.ipc; - -import org.apache.hadoop.hbase.classification.InterfaceAudience; -import org.apache.hadoop.hbase.security.User; - -import com.google.protobuf.BlockingService; - -import org.apache.hadoop.hbase.util.Bytes; -import org.cloudera.htrace.Trace; - -import java.net.InetAddress; - -/** - * Represents client information (authenticated username, remote address, protocol) - * for the currently executing request. If called outside the context of a RPC request, all values - * will be null. The {@link CallRunner} class before it a call and then on - * its way out, it will clear the thread local. - */ -@InterfaceAudience.Private -public class RequestContext { - private static ThreadLocal instance = - new ThreadLocal() { - protected RequestContext initialValue() { - return new RequestContext(null, null, null); - } - }; - - public static RequestContext get() { - return instance.get(); - } - - - /** - * Returns the user credentials associated with the current RPC request or - * null if no credentials were provided. - * @return A User - */ - public static User getRequestUser() { - RequestContext ctx = instance.get(); - if (ctx != null) { - return ctx.getUser(); - } - return null; - } - - /** - * Returns the username for any user associated with the current RPC - * request or null if no user is set. - */ - public static String getRequestUserName() { - User user = getRequestUser(); - if (user != null) { - return user.getShortName(); - } - return null; - } - - /** - * Indicates whether or not the current thread is within scope of executing - * an RPC request. - */ - public static boolean isInRequestContext() { - RequestContext ctx = instance.get(); - if (ctx != null) { - return ctx.isInRequest(); - } - return false; - } - - /** - * Initializes the client credentials for the current request. - * @param user - * @param remoteAddress - * @param service - */ - public static void set(User user, - InetAddress remoteAddress, BlockingService service) { - RequestContext ctx = instance.get(); - ctx.user = user; - ctx.remoteAddress = remoteAddress; - ctx.service = service; - ctx.inRequest = true; - if (Trace.isTracing()) { - if (user != null) { - Trace.currentSpan().addKVAnnotation(Bytes.toBytes("user"), Bytes.toBytes(user.getName())); - } - if (remoteAddress != null) { - Trace.currentSpan().addKVAnnotation( - Bytes.toBytes("remoteAddress"), - Bytes.toBytes(remoteAddress.getHostAddress())); - } - } - } - - /** - * Clears out the client credentials for a given request. - */ - public static void clear() { - RequestContext ctx = instance.get(); - ctx.user = null; - ctx.remoteAddress = null; - ctx.service = null; - ctx.inRequest = false; - } - - private User user; - private InetAddress remoteAddress; - private BlockingService service; - // indicates we're within a RPC request invocation - private boolean inRequest; - - private RequestContext(User user, InetAddress remoteAddr, BlockingService service) { - this.user = user; - this.remoteAddress = remoteAddr; - this.service = service; - } - - public User getUser() { - return user; - } - - public InetAddress getRemoteAddress() { - return remoteAddress; - } - - public BlockingService getService() { - return this.service; - } - - boolean isInRequest() { - return inRequest; - } -} diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcCallContext.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcCallContext.java index fd16346..d470d94 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcCallContext.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcCallContext.java @@ -17,7 +17,12 @@ */ package org.apache.hadoop.hbase.ipc; +import java.net.InetAddress; +import org.apache.hadoop.hbase.classification.InterfaceAudience; +import org.apache.hadoop.hbase.security.User; + +@InterfaceAudience.Private public interface RpcCallContext extends Delayable { /** * Check if the caller who made this IPC call has disconnected. @@ -36,4 +41,21 @@ public interface RpcCallContext extends Delayable { * @return True if the client supports cellblocks, else return all content in pb */ boolean isClientCellBlockSupport(); + + /** + * Returns the user credentials associated with the current RPC request or + * null if no credentials were provided. + * @return A User + */ + User getRequestUser(); + + /** + * @return Current request's user name or null if none ongoing. + */ + String getRequestUserName(); + + /** + * @return Address of remote client if a request is ongoing, else null + */ + InetAddress getRemoteAddress(); } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcServer.java index aafdc02..0e7efb9 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcServer.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcServer.java @@ -93,6 +93,7 @@ import org.apache.hadoop.hbase.security.HBaseSaslRpcServer.SaslDigestCallbackHan import org.apache.hadoop.hbase.security.HBaseSaslRpcServer.SaslGssCallbackHandler; import org.apache.hadoop.hbase.security.SaslStatus; import org.apache.hadoop.hbase.security.SaslUtil; +import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.UserProvider; import org.apache.hadoop.hbase.security.token.AuthenticationTokenSecretManager; import org.apache.hadoop.hbase.util.Bytes; @@ -296,9 +297,22 @@ public class RpcServer implements RpcServerInterface { protected TraceInfo tinfo; private ByteBuffer cellBlock = null; + private User user; + private InetAddress remoteAddress; + + /** + * Deprecated, do not use + */ + @Deprecated + Call(int id, final BlockingService service, final MethodDescriptor md, RequestHeader header, + Message param, CellScanner cellScanner, Connection connection, Responder responder, + long size, TraceInfo tinfo) { + this(id, service, md, header, param, cellScanner, connection, responder, size, tinfo, null); + } + Call(int id, final BlockingService service, final MethodDescriptor md, RequestHeader header, Message param, CellScanner cellScanner, Connection connection, Responder responder, - long size, TraceInfo tinfo) { + long size, TraceInfo tinfo, InetAddress remoteAddress) { this.id = id; this.service = service; this.md = md; @@ -313,6 +327,8 @@ public class RpcServer implements RpcServerInterface { this.isError = false; this.size = size; this.tinfo = tinfo; + this.user = connection.user == null? null: userProvider.create(connection.user); + this.remoteAddress = remoteAddress; } /** @@ -338,6 +354,22 @@ public class RpcServer implements RpcServerInterface { return this.header; } + @Override + public User getRequestUser() { + return user; + } + + @Override + public String getRequestUserName() { + User user = getRequestUser(); + return user == null? null: user.getShortName(); + } + + @Override + public InetAddress getRemoteAddress() { + return remoteAddress; + } + /* * Short string representation without param info because param itself could be huge depends on * the payload of a command @@ -1183,13 +1215,13 @@ public class RpcServer implements RpcServerInterface { private static final int AUTHROIZATION_FAILED_CALLID = -1; private final Call authFailedCall = new Call(AUTHROIZATION_FAILED_CALLID, this.service, null, - null, null, null, this, null, 0, null); + null, null, null, this, null, 0, null, null); private ByteArrayOutputStream authFailedResponse = new ByteArrayOutputStream(); // Fake 'call' for SASL context setup private static final int SASL_CALLID = -33; private final Call saslCall = - new Call(SASL_CALLID, this.service, null, null, null, null, this, null, 0, null); + new Call(SASL_CALLID, this.service, null, null, null, null, this, null, 0, null, null); public UserGroupInformation attemptingUser = null; // user name before auth @@ -1556,7 +1588,7 @@ public class RpcServer implements RpcServerInterface { private int doBadPreambleHandling(final String msg, final Exception e) throws IOException { LOG.warn(msg); - Call fakeCall = new Call(-1, null, null, null, null, null, this, responder, -1, null); + Call fakeCall = new Call(-1, null, null, null, null, null, this, responder, -1, null, null); setupResponse(null, fakeCall, e, msg); responder.doRespond(fakeCall); // Returning -1 closes out the connection. @@ -1708,7 +1740,7 @@ public class RpcServer implements RpcServerInterface { if ((totalRequestSize + callQueueSize.get()) > maxQueueSize) { final Call callTooBig = new Call(id, this.service, null, null, null, null, this, - responder, totalRequestSize, null); + responder, totalRequestSize, null, null); ByteArrayOutputStream responseBuffer = new ByteArrayOutputStream(); setupResponse(responseBuffer, callTooBig, new CallQueueTooBigException(), "Call queue is full on " + getListenerAddress() + @@ -1753,7 +1785,7 @@ public class RpcServer implements RpcServerInterface { final Call readParamsFailedCall = new Call(id, this.service, null, null, null, null, this, - responder, totalRequestSize, null); + responder, totalRequestSize, null, null); ByteArrayOutputStream responseBuffer = new ByteArrayOutputStream(); setupResponse(responseBuffer, readParamsFailedCall, t, msg + "; " + t.getMessage()); @@ -1766,8 +1798,8 @@ public class RpcServer implements RpcServerInterface { : null; Call call = new Call(id, this.service, md, header, param, cellScanner, this, responder, totalRequestSize, - traceInfo); - scheduler.dispatch(new CallRunner(RpcServer.this, call, userProvider)); + traceInfo, RpcServer.getRemoteIp()); + scheduler.dispatch(new CallRunner(RpcServer.this, call)); } private boolean authorizeConnection() throws IOException { @@ -2331,6 +2363,33 @@ public class RpcServer implements RpcServerInterface { } /** + * Returns the user credentials associated with the current RPC request or + * null if no credentials were provided. + * @return A User + */ + public static User getRequestUser() { + RpcCallContext ctx = getCurrentCall(); + return ctx == null? null: ctx.getRequestUser(); + } + + /** + * Returns the username for any user associated with the current RPC + * request or null if no user is set. + */ + public static String getRequestUserName() { + User user = getRequestUser(); + return user == null? null: user.getShortName(); + } + + /** + * @return Address of remote client if a request is ongoing, else null + */ + public static InetAddress getRemoteAddress() { + RpcCallContext ctx = getCurrentCall(); + return ctx == null? null: ctx.getRemoteAddress(); + } + + /** * @param serviceName Some arbitrary string that represents a 'service'. * @param services Available service instances * @return Matching BlockingServiceAndInterface pair @@ -2383,18 +2442,6 @@ public class RpcServer implements RpcServerInterface { return null; } - /** Returns remote address as a string when invoked inside an RPC. - * Returns null in case of an error. - * @return String - */ - public static String getRemoteAddress() { - Call call = CurCall.get(); - if (call != null) { - return call.connection.getHostAddress(); - } - return null; - } - /** * A convenience method to bind to a given address and report * better exceptions if the address is not a valid host. diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java index 453b35d..62ba6fb 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java @@ -86,7 +86,6 @@ import org.apache.hadoop.hbase.exceptions.UnknownProtocolException; import org.apache.hadoop.hbase.executor.ExecutorService; import org.apache.hadoop.hbase.executor.ExecutorType; import org.apache.hadoop.hbase.ipc.FifoRpcScheduler; -import org.apache.hadoop.hbase.ipc.RequestContext; import org.apache.hadoop.hbase.ipc.RpcServer; import org.apache.hadoop.hbase.ipc.RpcServer.BlockingServiceAndInterface; import org.apache.hadoop.hbase.ipc.RpcServerInterface; @@ -1669,8 +1668,7 @@ MasterServices, Server { * @return Client info for use as prefix on an audit log string; who did an action */ String getClientIdAuditPrefix() { - return "Client=" + RequestContext.getRequestUserName() + "/" + - RequestContext.get().getRemoteAddress(); + return "Client=" + RpcServer.getRequestUserName() + "/" + RpcServer.getRemoteAddress(); } public boolean synchronousBalanceSwitch(final boolean b) throws IOException { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java index bb9e4ec..8dc7cb5 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java @@ -40,7 +40,7 @@ import org.apache.hadoop.hbase.catalog.MetaEditor; import org.apache.hadoop.hbase.catalog.MetaReader; import org.apache.hadoop.hbase.executor.EventHandler; import org.apache.hadoop.hbase.executor.EventType; -import org.apache.hadoop.hbase.ipc.RequestContext; +import org.apache.hadoop.hbase.ipc.RpcServer; import org.apache.hadoop.hbase.master.AssignmentManager; import org.apache.hadoop.hbase.master.HMaster; import org.apache.hadoop.hbase.master.MasterCoprocessorHost; @@ -99,9 +99,8 @@ public class CreateTableHandler extends EventHandler { // If we are creating the table in service to an RPC request, record the // active user for later, so proper permissions will be applied to the // new table by the AccessController if it is active - if (RequestContext.isInRequestContext()) { - this.activeUser = RequestContext.getRequestUser(); - } else { + this.activeUser = RpcServer.getRequestUser(); + if (this.activeUser == null) { this.activeUser = UserProvider.instantiate(conf).getCurrent(); } } catch (InterruptedException e) { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 0601ce4..0750776 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -76,7 +76,7 @@ import org.apache.hadoop.hbase.filter.CompareFilter; import org.apache.hadoop.hbase.filter.Filter; import org.apache.hadoop.hbase.filter.FilterList; import org.apache.hadoop.hbase.io.hfile.HFile; -import org.apache.hadoop.hbase.ipc.RequestContext; +import org.apache.hadoop.hbase.ipc.RpcServer; import org.apache.hadoop.hbase.master.MasterServices; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.ResponseConverter; @@ -371,11 +371,7 @@ public class AccessController extends BaseMasterAndRegionObserver private void logResult(AuthResult result) { if (AUDITLOG.isTraceEnabled()) { - RequestContext ctx = RequestContext.get(); - InetAddress remoteAddr = null; - if (ctx != null) { - remoteAddr = ctx.getRemoteAddress(); - } + InetAddress remoteAddr = RpcServer.getRemoteAddress(); AUDITLOG.trace("Access " + (result.isAllowed() ? "allowed" : "denied") + " for user " + (result.getUser() != null ? result.getUser().getShortName() : "UNKNOWN") + "; reason: " + result.getReason() + @@ -391,8 +387,8 @@ public class AccessController extends BaseMasterAndRegionObserver * otherwise the currently logged in user is used. */ private User getActiveUser() throws IOException { - User user = RequestContext.getRequestUser(); - if (!RequestContext.isInRequestContext()) { + User user = RpcServer.getRequestUser(); + if (user == null) { // for non-rpc handling, fallback to system user user = userProvider.getCurrent(); } @@ -1905,14 +1901,11 @@ public class AccessController extends BaseMasterAndRegionObserver * If so, we assume that access control is correctly enforced based on * the checks performed in preScannerOpen() */ - private void requireScannerOwner(InternalScanner s) - throws AccessDeniedException { - if (RequestContext.isInRequestContext()) { - String requestUserName = RequestContext.getRequestUserName(); - String owner = scannerOwners.get(s); - if (owner != null && !owner.equals(requestUserName)) { - throw new AccessDeniedException("User '"+ requestUserName +"' is not the scanner owner!"); - } + private void requireScannerOwner(InternalScanner s) throws AccessDeniedException { + String requestUserName = RpcServer.getRequestUserName(); + String owner = scannerOwners.get(s); + if (owner != null && !owner.equals(requestUserName)) { + throw new AccessDeniedException("User '"+ requestUserName +"' is not the scanner owner!"); } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java index ebf6a0f..41613dd 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java @@ -21,6 +21,7 @@ package org.apache.hadoop.hbase.security.access; import com.google.protobuf.RpcCallback; import com.google.protobuf.RpcController; import com.google.protobuf.Service; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.hbase.classification.InterfaceAudience; @@ -38,7 +39,7 @@ import org.apache.hadoop.hbase.coprocessor.BulkLoadObserver; import org.apache.hadoop.hbase.coprocessor.CoprocessorService; import org.apache.hadoop.hbase.coprocessor.ObserverContext; import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment; -import org.apache.hadoop.hbase.ipc.RequestContext; +import org.apache.hadoop.hbase.ipc.RpcServer; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.ResponseConverter; import org.apache.hadoop.hbase.protobuf.generated.ClientProtos; @@ -333,8 +334,8 @@ public class SecureBulkLoadEndpoint extends SecureBulkLoadService } private User getActiveUser() { - User user = RequestContext.getRequestUser(); - if (!RequestContext.isInRequestContext()) { + User user = RpcServer.getRequestUser(); + if (user == null) { return null; } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java index 568d6fd..6548194 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java @@ -31,7 +31,6 @@ import org.apache.hadoop.hbase.CoprocessorEnvironment; import org.apache.hadoop.hbase.coprocessor.CoprocessorService; import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment; import org.apache.hadoop.hbase.ipc.RpcServer; -import org.apache.hadoop.hbase.ipc.RequestContext; import org.apache.hadoop.hbase.ipc.RpcServerInterface; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.ResponseConverter; @@ -111,7 +110,7 @@ public class TokenProvider implements AuthenticationProtos.AuthenticationService "No secret manager configured for token authentication"); } - User currentUser = RequestContext.getRequestUser(); + User currentUser = RpcServer.getRequestUser(); UserGroupInformation ugi = null; if (currentUser != null) { ugi = currentUser.getUGI(); @@ -137,7 +136,7 @@ public class TokenProvider implements AuthenticationProtos.AuthenticationService @Override public void whoAmI(RpcController controller, AuthenticationProtos.WhoAmIRequest request, RpcCallback done) { - User requestUser = RequestContext.getRequestUser(); + User requestUser = RpcServer.getRequestUser(); AuthenticationProtos.WhoAmIResponse.Builder response = AuthenticationProtos.WhoAmIResponse.newBuilder(); if (requestUser != null) { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java index bf1e9d7..4373bc7 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java @@ -75,7 +75,7 @@ import org.apache.hadoop.hbase.filter.Filter; import org.apache.hadoop.hbase.filter.FilterBase; import org.apache.hadoop.hbase.filter.FilterList; import org.apache.hadoop.hbase.io.hfile.HFile; -import org.apache.hadoop.hbase.ipc.RequestContext; +import org.apache.hadoop.hbase.ipc.RpcServer; import org.apache.hadoop.hbase.master.MasterServices; import org.apache.hadoop.hbase.protobuf.ResponseConverter; import org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult; @@ -606,12 +606,11 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements * access control is correctly enforced based on the checks performed in preScannerOpen() */ private void requireScannerOwner(InternalScanner s) throws AccessDeniedException { - if (RequestContext.isInRequestContext()) { - String requestUName = RequestContext.getRequestUserName(); - String owner = scannerOwners.get(s); - if (owner != null && !owner.equals(requestUName)) { - throw new AccessDeniedException("User '" + requestUName + "' is not the scanner owner!"); - } + // This is duplicated code! + String requestUName = RpcServer.getRequestUserName(); + String owner = scannerOwners.get(s); + if (owner != null && !owner.equals(requestUName)) { + throw new AccessDeniedException("User '" + requestUName + "' is not the scanner owner!"); } } @@ -844,12 +843,7 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements private void logResult(boolean isAllowed, String request, String reason, byte[] user, List labelAuths, String regex) { if (AUDITLOG.isTraceEnabled()) { - RequestContext ctx = RequestContext.get(); - InetAddress remoteAddr = null; - if (ctx != null) { - remoteAddr = ctx.getRemoteAddress(); - } - + InetAddress remoteAddr = RpcServer.getRemoteAddress(); List labelAuthsStr = new ArrayList(); if (labelAuths != null) { int labelAuthsSize = labelAuths.size(); diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityUtils.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityUtils.java index baf2a97..c4331cc 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityUtils.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityUtils.java @@ -44,7 +44,7 @@ import org.apache.hadoop.hbase.TagType; import org.apache.hadoop.hbase.exceptions.DeserializationException; import org.apache.hadoop.hbase.filter.Filter; import org.apache.hadoop.hbase.io.util.StreamUtils; -import org.apache.hadoop.hbase.ipc.RequestContext; +import org.apache.hadoop.hbase.ipc.RpcServer; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.MultiUserAuthorizations; import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.UserAuthorizations; @@ -326,8 +326,8 @@ public class VisibilityUtils { * @throws IOException When there is IOE in getting the system user (During non-RPC handling). */ public static User getActiveUser() throws IOException { - User user = RequestContext.getRequestUser(); - if (!RequestContext.isInRequestContext()) { + User user = RpcServer.getRequestUser(); + if (user == null) { user = User.getCurrent(); } if (LOG.isTraceEnabled()) { diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/ipc/TestCallRunner.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/ipc/TestCallRunner.java index be7b5b3..b328e57 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/ipc/TestCallRunner.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/ipc/TestCallRunner.java @@ -17,7 +17,6 @@ */ package org.apache.hadoop.hbase.ipc; -import org.apache.hadoop.hbase.security.UserProvider; import org.apache.hadoop.hbase.testclassification.SmallTests; import org.junit.Test; import org.junit.experimental.categories.Category; @@ -34,7 +33,7 @@ public class TestCallRunner { Mockito.when(mockRpcServer.isStarted()).thenReturn(true); RpcServer.Call mockCall = Mockito.mock(RpcServer.Call.class); mockCall.connection = Mockito.mock(RpcServer.Connection.class); - CallRunner cr = new CallRunner(mockRpcServer, mockCall, new UserProvider()); + CallRunner cr = new CallRunner(mockRpcServer, mockCall); cr.run(); } } \ No newline at end of file diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/token/TestTokenAuthentication.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/token/TestTokenAuthentication.java index d888f43..b5ae760 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/token/TestTokenAuthentication.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/token/TestTokenAuthentication.java @@ -51,7 +51,6 @@ import org.apache.hadoop.hbase.client.HTableInterface; import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment; import org.apache.hadoop.hbase.ipc.BlockingRpcCallback; import org.apache.hadoop.hbase.ipc.FifoRpcScheduler; -import org.apache.hadoop.hbase.ipc.RequestContext; import org.apache.hadoop.hbase.ipc.RpcClient; import org.apache.hadoop.hbase.ipc.RpcServer; import org.apache.hadoop.hbase.ipc.RpcServer.BlockingServiceAndInterface; @@ -281,7 +280,7 @@ public class TestTokenAuthentication { public AuthenticationProtos.GetAuthenticationTokenResponse getAuthenticationToken( RpcController controller, AuthenticationProtos.GetAuthenticationTokenRequest request) throws ServiceException { - LOG.debug("Authentication token request from "+RequestContext.getRequestUserName()); + LOG.debug("Authentication token request from "+ RpcServer.getRequestUserName()); // ignore passed in controller -- it's always null ServerRpcController serverController = new ServerRpcController(); BlockingRpcCallback callback = @@ -299,7 +298,7 @@ public class TestTokenAuthentication { public AuthenticationProtos.WhoAmIResponse whoAmI( RpcController controller, AuthenticationProtos.WhoAmIRequest request) throws ServiceException { - LOG.debug("whoAmI() request from "+RequestContext.getRequestUserName()); + LOG.debug("whoAmI() request from " + RpcServer.getRequestUserName()); // ignore passed in controller -- it's always null ServerRpcController serverController = new ServerRpcController(); BlockingRpcCallback callback = -- 2.2.2