From 59027c41fa61106b976bed988ed78d3410dfb9fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E4=B8=96=E5=BD=AC10204932?= Date: Sat, 22 Jul 2017 12:28:43 +0800 Subject: [PATCH] HBASE-18323 Remove multiple ACLs for the same user in kerberos --- .../java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java | 13 ++++++++++--- .../org/apache/hadoop/hbase/zookeeper/TestZKUtil.java | 16 ++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java index 08b059e..07399f9 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java @@ -31,10 +31,8 @@ import java.util.HashMap; import java.util.LinkedList; import java.util.List; import java.util.Map; - import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag; - import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -58,6 +56,7 @@ import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.CreateAndFailSilent; import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.DeleteNodeFailSilent; import org.apache.hadoop.hbase.zookeeper.ZKUtil.ZKUtilOp.SetData; import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.util.KerberosUtil; import org.apache.zookeeper.AsyncCallback; import org.apache.zookeeper.CreateMode; @@ -907,6 +906,12 @@ public class ZKUtil { ArrayList acls = new ArrayList<>(); // add permission to hbase supper user String[] superUsers = zkw.getConfiguration().getStrings(Superusers.SUPERUSER_CONF_KEY); + String hbaseUser = null; + try { + hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName(); + } catch (IOException e) { + LOG.debug("Current service user could not get.", e); + } if (superUsers != null) { List groups = new ArrayList<>(); for (String user : superUsers) { @@ -914,7 +919,9 @@ public class ZKUtil { // TODO: Set node ACL for groups when ZK supports this feature groups.add(user); } else { - acls.add(new ACL(Perms.ALL, new Id("sasl", user))); + if(!user.equals(hbaseUser)) { + acls.add(new ACL(Perms.ALL, new Id("sasl", user))); + } } } if (!groups.isEmpty()) { diff --git a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java index 076569b..0e1ab92 100644 --- a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java +++ b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java @@ -26,6 +26,7 @@ import org.apache.hadoop.hbase.HBaseConfiguration; import org.apache.hadoop.hbase.ZooKeeperConnectionException; import org.apache.hadoop.hbase.security.Superusers; import org.apache.hadoop.hbase.testclassification.SmallTests; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.zookeeper.ZooDefs.Ids; import org.apache.zookeeper.ZooDefs.Perms; import org.apache.zookeeper.data.ACL; @@ -77,4 +78,19 @@ public class TestZKUtil { Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user2")))); Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user3")))); } + + @Test + public void testCreateACLWithSameUser() throws ZooKeeperConnectionException, IOException { + Configuration conf = HBaseConfiguration.create(); + conf.set(Superusers.SUPERUSER_CONF_KEY, "user4,@group1,user5,user6"); + UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("user4")); + String node = "/hbase/testCreateACL"; + ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false); + List aclList = ZKUtil.createACL(watcher, node, true); + Assert.assertEquals(aclList.size(), 3); // 3, since service user the same as one of superuser + Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1")))); + Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", "")))); + Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user5")))); + Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user6")))); + } } -- 1.9.1