From 38b723c8fa2e745e26587fca5fca27f3fb1bde0b Mon Sep 17 00:00:00 2001 From: Guangxu Cheng Date: Tue, 12 Dec 2017 00:54:21 +0800 Subject: [PATCH] HBASE-19483 Add proper privilege check for rsgroup commands --- .../hadoop/hbase/rsgroup/RSGroupAdminServer.java | 37 ++++++++- .../hadoop/hbase/coprocessor/MasterObserver.java | 56 ++++++++++++++ .../hadoop/hbase/master/MasterCoprocessorHost.java | 88 ++++++++++++++++++++++ .../hbase/security/access/AccessController.java | 24 ++++++ 4 files changed, 201 insertions(+), 4 deletions(-) diff --git a/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminServer.java b/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminServer.java index 45421e3..62bf292 100644 --- a/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminServer.java +++ b/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminServer.java @@ -67,15 +67,30 @@ public class RSGroupAdminServer implements RSGroupAdmin { @Override public RSGroupInfo getRSGroupInfo(String groupName) throws IOException { - return rsGroupInfoManager.getRSGroup(groupName); + if (master.getMasterCoprocessorHost() != null) { + master.getMasterCoprocessorHost().preGetRSGroupInfo(groupName); + } + RSGroupInfo rsGroupInfo = rsGroupInfoManager.getRSGroup(groupName); + if (master.getMasterCoprocessorHost() != null) { + master.getMasterCoprocessorHost().postGetRSGroupInfo(groupName); + } + return rsGroupInfo; } @Override public RSGroupInfo getRSGroupInfoOfTable(TableName tableName) throws IOException { + if (master.getMasterCoprocessorHost() != null) { + master.getMasterCoprocessorHost().preGetRSGroupInfoOfTable(tableName); + } // We are reading across two Maps in the below with out synchronizing across // them; should be safe most of the time. String groupName = rsGroupInfoManager.getRSGroupOfTable(tableName); - return groupName == null? null: rsGroupInfoManager.getRSGroup(groupName); + RSGroupInfo rsGroupInfo = groupName == null? + null: rsGroupInfoManager.getRSGroup(groupName); + if (master.getMasterCoprocessorHost() != null) { + master.getMasterCoprocessorHost().postGetRSGroupInfoOfTable(tableName); + } + return rsGroupInfo; } private void checkOnlineServersOnly(Set
servers) throws ConstraintException { @@ -536,12 +551,26 @@ public class RSGroupAdminServer implements RSGroupAdmin { @Override public List listRSGroups() throws IOException { - return rsGroupInfoManager.listRSGroups(); + if (master.getMasterCoprocessorHost() != null) { + master.getMasterCoprocessorHost().preListRSGroup(); + } + List groupInfos = rsGroupInfoManager.listRSGroups(); + if (master.getMasterCoprocessorHost() != null) { + master.getMasterCoprocessorHost().postListRSGroup(); + } + return groupInfos; } @Override public RSGroupInfo getRSGroupOfServer(Address hostPort) throws IOException { - return rsGroupInfoManager.getRSGroupOfServer(hostPort); + if (master.getMasterCoprocessorHost() != null) { + master.getMasterCoprocessorHost().preGetRSGroupOfServer(hostPort); + } + RSGroupInfo rsGroupInfo = rsGroupInfoManager.getRSGroupOfServer(hostPort); + if (master.getMasterCoprocessorHost() != null) { + master.getMasterCoprocessorHost().postGetRSGroupOfServer(hostPort); + } + return rsGroupInfo; } @Override diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java index 6ef5504..0b4c019 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java @@ -1117,6 +1117,62 @@ public interface MasterObserver { Set
servers) throws IOException {} /** + * Called before list rsgroup + * @param ctx the environment to interact with the framework and master + */ + default void preListRSGroup( + final ObserverContext ctx) throws IOException {} + + /** + * Called after list rsgroup + * @param ctx the environment to interact with the framework and master + */ + default void postListRSGroup( + final ObserverContext ctx) throws IOException {} + + /** + * Called before get rsgroup info for given group name + * @param ctx the environment to interact with the framework and master + */ + default void preGetRSGroupInfo(final ObserverContext ctx, + final String groupName) throws IOException {} + + /** + * Called after get rsgroup info for given group name + * @param ctx the environment to interact with the framework and master + */ + default void postGetRSGroupInfo(final ObserverContext ctx, + final String groupName) throws IOException {} + + /** + * Called before get rsgroup info for given table name + * @param ctx the environment to interact with the framework and master + */ + default void preGetRSGroupInfoOfTable(final ObserverContext ctx, + final TableName tableName) throws IOException {} + + /** + * Called after get rsgroup info for given table name + * @param ctx the environment to interact with the framework and master + */ + default void postGetRSGroupInfoOfTable(final ObserverContext ctx, + final TableName tableName) throws IOException {} + + /** + * Called before get rsgroup info for given server + * @param ctx the environment to interact with the framework and master + */ + default void preGetRSGroupOfServer(final ObserverContext ctx, + final Address hostPort) throws IOException {} + + /** + * Called after get rsgroup info for given server + * @param ctx the environment to interact with the framework and master + */ + default void postGetRSGroupOfServer(final ObserverContext ctx, + final Address hostPort) throws IOException {} + + /** * Called before add a replication peer * @param ctx the environment to interact with the framework and master * @param peerId a short name that identifies the peer diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java index bc26229..f719c53 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java @@ -1426,6 +1426,94 @@ public class MasterCoprocessorHost }); } + public void preListRSGroup() throws IOException { + execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() { + @Override + public void call(MasterObserver observer) throws IOException { + if(((MasterEnvironment)getEnvironment()).supportGroupCPs) { + observer.preListRSGroup(this); + } + } + }); + } + + public void postListRSGroup() throws IOException { + execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() { + @Override + public void call(MasterObserver observer) throws IOException { + if(((MasterEnvironment)getEnvironment()).supportGroupCPs) { + observer.postListRSGroup(this); + } + } + }); + } + + public void preGetRSGroupInfo(String groupName) throws IOException { + execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() { + @Override + public void call(MasterObserver observer) throws IOException { + if(((MasterEnvironment)getEnvironment()).supportGroupCPs) { + observer.preGetRSGroupInfo(this, groupName); + } + } + }); + } + + public void postGetRSGroupInfo(String groupName) throws IOException { + execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() { + @Override + public void call(MasterObserver observer) throws IOException { + if(((MasterEnvironment)getEnvironment()).supportGroupCPs) { + observer.postGetRSGroupInfo(this, groupName); + } + } + }); + } + + public void preGetRSGroupInfoOfTable(TableName tableName) throws IOException { + execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() { + @Override + public void call(MasterObserver observer) throws IOException { + if(((MasterEnvironment)getEnvironment()).supportGroupCPs) { + observer.preGetRSGroupInfoOfTable(this, tableName); + } + } + }); + } + + public void postGetRSGroupInfoOfTable(TableName tableName) throws IOException { + execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() { + @Override + public void call(MasterObserver observer) throws IOException { + if(((MasterEnvironment)getEnvironment()).supportGroupCPs) { + observer.postGetRSGroupInfoOfTable(this, tableName); + } + } + }); + } + + public void preGetRSGroupOfServer(Address hostPort) throws IOException { + execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() { + @Override + public void call(MasterObserver observer) throws IOException { + if(((MasterEnvironment)getEnvironment()).supportGroupCPs) { + observer.preGetRSGroupOfServer(this, hostPort); + } + } + }); + } + + public void postGetRSGroupOfServer(Address hostPort) throws IOException { + execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() { + @Override + public void call(MasterObserver observer) throws IOException { + if(((MasterEnvironment)getEnvironment()).supportGroupCPs) { + observer.postGetRSGroupOfServer(this, hostPort); + } + } + }); + } + public void preAddReplicationPeer(final String peerId, final ReplicationPeerConfig peerConfig) throws IOException { execOperation(coprocEnvironments.isEmpty() ? null : new MasterObserverOperation() { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 2e2d263..d310dbf 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -2693,6 +2693,30 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, } @Override + public void preListRSGroup(ObserverContext ctx) + throws IOException { + requirePermission(getActiveUser(ctx), "listRSGroup", Action.ADMIN); + } + + @Override + public void preGetRSGroupInfo(ObserverContext ctx, + String groupName) throws IOException { + requirePermission(getActiveUser(ctx), "getRSGroup", Action.ADMIN); + } + + @Override + public void preGetRSGroupInfoOfTable(ObserverContext ctx, + TableName tableName) throws IOException { + requirePermission(getActiveUser(ctx), "getRSGroupInfoOfTable", Action.ADMIN); + } + + @Override + public void preGetRSGroupOfServer(ObserverContext ctx, + Address hostPort) throws IOException { + requirePermission(getActiveUser(ctx), "getRSGroupOfServer", Action.ADMIN); + } + + @Override public void preAddReplicationPeer(final ObserverContext ctx, String peerId, ReplicationPeerConfig peerConfig) throws IOException { requirePermission(getActiveUser(ctx), "addReplicationPeer", Action.ADMIN); -- 2.10.1