diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java index 9e01d09..d943ab3 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java @@ -906,8 +906,8 @@ if (!node.startsWith(zkw.baseZNode)) { return Ids.OPEN_ACL_UNSAFE; } + ArrayList acls = new ArrayList(); if (isSecureZooKeeper) { - ArrayList acls = new ArrayList(); // add permission to hbase supper user String[] superUsers = zkw.getConfiguration().getStrings(Superusers.SUPERUSER_CONF_KEY); if (superUsers != null) { @@ -933,10 +933,24 @@ } else { acls.addAll(Ids.CREATOR_ALL_ACL); } - return acls; } else { - return Ids.OPEN_ACL_UNSAFE; + try { + String zkAclConf = zkw.getConfiguration().get(HConstants.ZOOKEEPER_ACL, HConstants.ZOOKEEPER_ACL_DEFAULT); + zkAclConf = org.apache.hadoop.util.ZKUtil.resolveConfIndirection(zkAclConf); + List zkAcls = org.apache.hadoop.util.ZKUtil.parseACLs(zkAclConf); + if (zkAcls.isEmpty()) { + zkAcls = Ids.CREATOR_ALL_ACL; + } + acls.addAll(zkAcls); + if (zkw.isClientReadable(node)) { + acls.addAll(Ids.READ_ACL_UNSAFE); + } + } catch (IOException e) { + e.printStackTrace(); + return Ids.OPEN_ACL_UNSAFE; + } } + return acls; } // diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java index b665353..95c6412 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java @@ -21,6 +21,7 @@ import java.io.Closeable; import java.io.IOException; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -40,11 +41,13 @@ import org.apache.hadoop.hbase.classification.InterfaceAudience; import org.apache.hadoop.hbase.security.Superusers; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.util.ZKUtil.ZKAuthInfo; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.WatchedEvent; import org.apache.zookeeper.Watcher; import org.apache.zookeeper.ZooDefs.Ids; import org.apache.zookeeper.ZooDefs.Perms; +import org.apache.zookeeper.ZooKeeper; import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.Id; import org.apache.zookeeper.data.Stat; @@ -175,6 +178,25 @@ this.abortable = abortable; setNodeNames(conf); this.recoverableZooKeeper = ZKUtil.connect(conf, quorum, this, identifier); + + identifier = (identifier == null ? "" : identifier.split(":")[0]); + if("master".equals(identifier) || "regionserver".equals(identifier)){ + if(!ZKUtil.isSecureZooKeeper(conf)){ + ZooKeeper zkClient = recoverableZooKeeper.getZooKeeper(); + String zkAuthConf = conf.get(HConstants.ZOOKEEPER_AUTH); + zkAuthConf = org.apache.hadoop.util.ZKUtil.resolveConfIndirection(zkAuthConf); + List zkAuths; + if (zkAuthConf != null) { + zkAuths = org.apache.hadoop.util.ZKUtil.parseAuth(zkAuthConf); + } else { + zkAuths = Collections.emptyList(); + } + for(ZKAuthInfo auth : zkAuths){ + zkClient.addAuthInfo(auth.getScheme(), auth.getAuth()); + } + } + } + if (canCreateBaseZNode) { createBaseZNodes(); } diff --git a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java index 2795472..5215972 100644 --- a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java +++ b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java @@ -23,6 +23,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.ZooKeeperConnectionException; import org.apache.hadoop.hbase.security.Superusers; import org.apache.hadoop.hbase.testclassification.SmallTests; @@ -53,4 +54,16 @@ && aclList.contains(new ACL(Perms.ALL, new Id("auth", "user2"))) && aclList.contains(new ACL(Perms.ALL, new Id("auth", "user3")))); } + + @Test + public void testSimpleACL() throws ZooKeeperConnectionException, IOException { + Configuration conf = HBaseConfiguration.create(); + conf.set(HConstants.ZOOKEEPER_ACL, "digest:admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc=:cdrwa"); + String node = "/hbase/testSimpleACL"; + ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, "regionserver", null, false); + List aclList = ZKUtil.createACL(watcher, node, false); + Assert.assertEquals(aclList.size(), 1); + Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, + new Id("digest", "admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc=")))); + } } diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java index 0c6244f..1b89dc6 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java @@ -171,6 +171,11 @@ /** Name of ZooKeeper quorum configuration parameter. */ public static final String ZOOKEEPER_QUORUM = "hbase.zookeeper.quorum"; + public static final String ZOOKEEPER_ACL = "hbase.zookeeper.acl"; + public static final String ZOOKEEPER_ACL_DEFAULT = "world:anyone:rwcda"; + + public static final String ZOOKEEPER_AUTH = "hbase.zookeeper.auth"; + /** Common prefix of ZooKeeper configuration properties */ public static final String ZK_CFG_PROPERTY_PREFIX = "hbase.zookeeper.property.";