diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java index b2a4736..60c2d0c 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java @@ -22,10 +22,8 @@ import java.io.ByteArrayInputStream; import java.io.DataInput; import java.io.DataInputStream; import java.io.IOException; -import java.io.InputStream; import java.util.ArrayList; import java.util.Arrays; -import java.util.Collection; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -41,6 +39,7 @@ import org.apache.hadoop.hbase.Cell; import org.apache.hadoop.hbase.CellUtil; import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HConstants; +import org.apache.hadoop.hbase.HRegionInfo; import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.NamespaceDescriptor; import org.apache.hadoop.hbase.TableName; @@ -64,8 +63,6 @@ import org.apache.hadoop.hbase.filter.RegexStringComparator; import org.apache.hadoop.hbase.master.MasterServices; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos; -import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService; -import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos; import org.apache.hadoop.hbase.regionserver.BloomType; import org.apache.hadoop.hbase.regionserver.InternalScanner; import org.apache.hadoop.hbase.regionserver.Region; @@ -77,11 +74,6 @@ import org.apache.hadoop.io.Text; import com.google.common.collect.ArrayListMultimap; import com.google.common.collect.ListMultimap; import com.google.common.collect.Lists; -import com.google.protobuf.ByteString; -import com.google.protobuf.CodedInputStream; -import com.google.protobuf.Message; -import com.google.protobuf.RpcController; -import com.google.protobuf.ServiceException; /** * Maintains lists of permission grants to users and groups to allow for @@ -442,12 +434,12 @@ public class AccessControlLists { static ListMultimap getTablePermissions(Configuration conf, TableName tableName) throws IOException { - return getPermissions(conf, tableName != null ? tableName.getName() : null); + return getPermissions(conf, tableName != null ? tableName.getName() : null, null); } static ListMultimap getNamespacePermissions(Configuration conf, String namespace) throws IOException { - return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace))); + return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)), null); } /** @@ -460,25 +452,35 @@ public class AccessControlLists { *

*/ static ListMultimap getPermissions(Configuration conf, - byte[] entryName) throws IOException { + byte[] entryName, Region r) throws IOException { if (entryName == null) entryName = ACL_GLOBAL_NAME; // for normal user tables, we just read the table row from _acl_ ListMultimap perms = ArrayListMultimap.create(); - // TODO: Pass in a Connection rather than create one each time. - try (Connection connection = ConnectionFactory.createConnection(conf)) { - try (Table table = connection.getTable(ACL_TABLE_NAME)) { - Get get = new Get(entryName); - get.addFamily(ACL_LIST_FAMILY); - Result row = table.get(get); - if (!row.isEmpty()) { - perms = parsePermissions(entryName, row); - } else { - LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry " - + Bytes.toString(entryName)); + Get get = new Get(entryName); + Result row = null; + if (r != null) { + HRegionInfo info = r.getRegionInfo(); + if (info.containsRow(entryName)) { + // the entry is within current region + row = r.get(get); + } + } + if (row == null) { + // TODO: Pass in a Connection rather than create one each time. + try (Connection connection = ConnectionFactory.createConnection(conf)) { + try (Table table = connection.getTable(ACL_TABLE_NAME)) { + get.addFamily(ACL_LIST_FAMILY); + row = table.get(get); } } } + if (!row.isEmpty()) { + perms = parsePermissions(entryName, row); + } else { + LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry " + + Bytes.toString(entryName)); + } return perms; } @@ -501,7 +503,7 @@ public class AccessControlLists { Configuration conf, byte[] entryName) throws IOException { ListMultimap allPerms = getPermissions( - conf, entryName); + conf, entryName, null); List perms = new ArrayList(); diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 1163c44..26c1372 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -272,7 +272,7 @@ public class AccessController extends BaseMasterAndRegionObserver for (byte[] entry: entries) { try { ListMultimap perms = - AccessControlLists.getPermissions(conf, entry); + AccessControlLists.getPermissions(conf, entry, e.getRegion()); byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, conf); zkw.writeToZookeeper(entry, serialized); } catch (IOException ex) {