From a15525a48c7a63c02ca550c0bb124b5eaf31c73e Mon Sep 17 00:00:00 2001 From: Gary Helmling Date: Mon, 15 Apr 2019 11:18:23 -0700 Subject: [PATCH] HBASE-17884 Backport HBASE-16217 to branch-1 HBASE-16217 Pass through the calling user in ObserverContext Signed-off-by: Andrew Purtell --- .../hadoop/hbase/protobuf/ProtobufUtil.java | 2 +- .../hbase/coprocessor/ObserverContext.java | 42 ++- .../hbase/master/MasterCoprocessorHost.java | 95 +++-- .../master/handler/CreateTableHandler.java | 11 +- .../master/handler/DisableTableHandler.java | 5 +- .../master/handler/EnableTableHandler.java | 5 +- .../procedure/AddColumnFamilyProcedure.java | 35 +- .../procedure/CreateTableProcedure.java | 25 +- .../DeleteColumnFamilyProcedure.java | 35 +- .../procedure/DeleteTableProcedure.java | 25 +- .../procedure/DisableTableProcedure.java | 35 +- .../procedure/EnableTableProcedure.java | 36 +- .../master/procedure/MasterProcedureUtil.java | 17 +- .../ModifyColumnFamilyProcedure.java | 35 +- .../procedure/ModifyTableProcedure.java | 36 +- .../procedure/TruncateTableProcedure.java | 26 +- .../hadoop/hbase/regionserver/HStore.java | 63 +--- .../regionserver/RegionCoprocessorHost.java | 73 ++-- .../RegionMergeTransactionImpl.java | 110 +----- .../RegionServerCoprocessorHost.java | 33 +- .../regionserver/SplitTransactionImpl.java | 113 +----- .../regionserver/compactions/Compactor.java | 38 +- .../security/access/AccessController.java | 333 ++++++++++-------- .../access/SecureBulkLoadEndpoint.java | 4 +- 24 files changed, 495 insertions(+), 737 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java index 4b511f74f2..36e495d7c2 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java @@ -2125,7 +2125,7 @@ public final class ProtobufUtil { region_a.getRegionName(), region_b.getRegionName(),forcible); if (user != null) { try { - user.getUGI().doAs(new PrivilegedExceptionAction() { + user.runAs(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { try { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/ObserverContext.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/ObserverContext.java index 78279add01..b6a31c0955 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/ObserverContext.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/ObserverContext.java @@ -23,6 +23,8 @@ import org.apache.hadoop.hbase.classification.InterfaceAudience; import org.apache.hadoop.hbase.classification.InterfaceStability; import org.apache.hadoop.hbase.CoprocessorEnvironment; import org.apache.hadoop.hbase.HBaseInterfaceAudience; +import org.apache.hadoop.hbase.ipc.RpcServer; +import org.apache.hadoop.hbase.security.User; /** * Carries the execution state for a given invocation of an Observer coprocessor @@ -40,8 +42,10 @@ public class ObserverContext { private E env; private boolean bypass; private boolean complete; + private User caller; - public ObserverContext() { + public ObserverContext(User caller) { + this.caller = caller; } public E getEnvironment() { @@ -91,6 +95,16 @@ public class ObserverContext { return current; } + /** + * Returns the active user for the coprocessor call. + * If an explicit {@code User} instance was provided to the constructor, that will be returned, + * otherwise if we are in the context of an RPC call, the remote user is used. May return null + * if the execution is outside of an RPC context. + */ + public User getCaller() { + return caller; + } + /** * Instantiates a new ObserverContext instance if the passed reference is * null and sets the environment in the new or existing instance. @@ -103,10 +117,34 @@ public class ObserverContext { * @param The environment type for the context * @return An instance of ObserverContext with the environment set */ + @Deprecated + // TODO: Remove this method, ObserverContext should not depend on RpcServer public static ObserverContext createAndPrepare( T env, ObserverContext context) { if (context == null) { - context = new ObserverContext(); + context = new ObserverContext(RpcServer.getRequestUser()); + } + context.prepare(env); + return context; + } + + /** + * Instantiates a new ObserverContext instance if the passed reference is + * null and sets the environment in the new or existing instance. + * This allows deferring the instantiation of a ObserverContext until it is + * actually needed. + * + * @param env The coprocessor environment to set + * @param context An existing ObserverContext instance to use, or null + * to create a new instance + * @param user The requesting caller for the execution context + * @param The environment type for the context + * @return An instance of ObserverContext with the environment set + */ + public static ObserverContext createAndPrepare( + T env, ObserverContext context, User user) { + if (context == null) { + context = new ObserverContext(user); } context.prepare(env); return context; diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java index 6965eae377..a7bf5c1364 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java @@ -44,12 +44,14 @@ import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment; import org.apache.hadoop.hbase.coprocessor.MasterObserver; import org.apache.hadoop.hbase.coprocessor.MetricsCoprocessor; import org.apache.hadoop.hbase.coprocessor.ObserverContext; +import org.apache.hadoop.hbase.ipc.RpcServer; import org.apache.hadoop.hbase.master.procedure.MasterProcedureEnv; import org.apache.hadoop.hbase.metrics.MetricRegistry; import org.apache.hadoop.hbase.net.Address; import org.apache.hadoop.hbase.procedure2.ProcedureExecutor; import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.SnapshotDescription; import org.apache.hadoop.hbase.protobuf.generated.QuotaProtos.Quotas; +import org.apache.hadoop.hbase.security.User; /** * Provides the coprocessor framework and environment for master oriented @@ -257,9 +259,9 @@ public class MasterCoprocessorHost }); } - public void preCreateTableHandler(final HTableDescriptor htd, final HRegionInfo[] regions) - throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void preCreateTableHandler(final HTableDescriptor htd, final HRegionInfo[] regions, + final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -268,9 +270,9 @@ public class MasterCoprocessorHost }); } - public void postCreateTableHandler(final HTableDescriptor htd, final HRegionInfo[] regions) - throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void postCreateTableHandler(final HTableDescriptor htd, final HRegionInfo[] regions, + final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -299,8 +301,8 @@ public class MasterCoprocessorHost }); } - public void preDeleteTableHandler(final TableName tableName) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void preDeleteTableHandler(final TableName tableName, final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -309,8 +311,9 @@ public class MasterCoprocessorHost }); } - public void postDeleteTableHandler(final TableName tableName) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void postDeleteTableHandler(final TableName tableName, final User user) + throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -339,8 +342,9 @@ public class MasterCoprocessorHost }); } - public void preTruncateTableHandler(final TableName tableName) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void preTruncateTableHandler(final TableName tableName, final User user) + throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -349,8 +353,9 @@ public class MasterCoprocessorHost }); } - public void postTruncateTableHandler(final TableName tableName) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void postTruncateTableHandler(final TableName tableName, final User user) + throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -381,9 +386,10 @@ public class MasterCoprocessorHost }); } - public void preModifyTableHandler(final TableName tableName, final HTableDescriptor htd) + public void preModifyTableHandler(final TableName tableName, final HTableDescriptor htd, + final User user) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -392,9 +398,10 @@ public class MasterCoprocessorHost }); } - public void postModifyTableHandler(final TableName tableName, final HTableDescriptor htd) + public void postModifyTableHandler(final TableName tableName, final HTableDescriptor htd, + final User user) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -425,9 +432,10 @@ public class MasterCoprocessorHost }); } - public boolean preAddColumnHandler(final TableName tableName, final HColumnDescriptor column) + public boolean preAddColumnHandler(final TableName tableName, final HColumnDescriptor column, + final User user) throws IOException { - return execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + return execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -436,9 +444,10 @@ public class MasterCoprocessorHost }); } - public void postAddColumnHandler(final TableName tableName, final HColumnDescriptor column) + public void postAddColumnHandler(final TableName tableName, final HColumnDescriptor column, + final User user) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -470,8 +479,8 @@ public class MasterCoprocessorHost } public boolean preModifyColumnHandler(final TableName tableName, - final HColumnDescriptor descriptor) throws IOException { - return execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + final HColumnDescriptor descriptor, final User user) throws IOException { + return execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -481,8 +490,8 @@ public class MasterCoprocessorHost } public void postModifyColumnHandler(final TableName tableName, - final HColumnDescriptor descriptor) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + final HColumnDescriptor descriptor, final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -511,9 +520,10 @@ public class MasterCoprocessorHost }); } - public boolean preDeleteColumnHandler(final TableName tableName, final byte[] c) + public boolean preDeleteColumnHandler(final TableName tableName, final byte[] c, + final User user) throws IOException { - return execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + return execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -522,9 +532,10 @@ public class MasterCoprocessorHost }); } - public void postDeleteColumnHandler(final TableName tableName, final byte[] c) + public void postDeleteColumnHandler(final TableName tableName, final byte[] c, + final User user) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -553,8 +564,8 @@ public class MasterCoprocessorHost }); } - public void preEnableTableHandler(final TableName tableName) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void preEnableTableHandler(final TableName tableName, final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -563,8 +574,9 @@ public class MasterCoprocessorHost }); } - public void postEnableTableHandler(final TableName tableName) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void postEnableTableHandler(final TableName tableName, final User user) + throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -593,8 +605,9 @@ public class MasterCoprocessorHost }); } - public void preDisableTableHandler(final TableName tableName) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void preDisableTableHandler(final TableName tableName, final User user) + throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -603,8 +616,9 @@ public class MasterCoprocessorHost }); } - public void postDisableTableHandler(final TableName tableName) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void postDisableTableHandler(final TableName tableName, final User user) + throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(MasterObserver oserver, ObserverContext ctx) throws IOException { @@ -1404,6 +1418,11 @@ public class MasterCoprocessorHost private static abstract class CoprocessorOperation extends ObserverContext { public CoprocessorOperation() { + this(RpcServer.getRequestUser()); + } + + public CoprocessorOperation(User user) { + super(user); } public abstract void call(MasterObserver oserver, diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java index a639407e7d..79e24938af 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/CreateTableHandler.java @@ -20,7 +20,6 @@ package org.apache.hadoop.hbase.master.handler; import java.io.IOException; import java.io.InterruptedIOException; -import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.List; @@ -200,18 +199,12 @@ public class CreateTableHandler extends EventHandler { try { final MasterCoprocessorHost cpHost = master.getMasterCoprocessorHost(); if (cpHost != null) { - cpHost.preCreateTableHandler(this.hTableDescriptor, this.newRegions); + cpHost.preCreateTableHandler(this.hTableDescriptor, this.newRegions, activeUser); } handleCreateTable(tableName); completed(null); if (cpHost != null) { - this.activeUser.runAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - cpHost.postCreateTableHandler(hTableDescriptor, newRegions); - return null; - } - }); + cpHost.postCreateTableHandler(hTableDescriptor, newRegions, activeUser); } } catch (Throwable e) { LOG.error("Error trying to create the table " + tableName, e); diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/DisableTableHandler.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/DisableTableHandler.java index d889671771..76f603f3bc 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/DisableTableHandler.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/DisableTableHandler.java @@ -129,12 +129,13 @@ public class DisableTableHandler extends EventHandler { LOG.info("Attempting to disable table " + this.tableName); MasterCoprocessorHost cpHost = ((HMaster) this.server) .getMasterCoprocessorHost(); + // this executes in assignment manager to recover disabling table, not overriding user if (cpHost != null) { - cpHost.preDisableTableHandler(this.tableName); + cpHost.preDisableTableHandler(this.tableName, null); } handleDisableTable(); if (cpHost != null) { - cpHost.postDisableTableHandler(this.tableName); + cpHost.postDisableTableHandler(this.tableName, null); } } catch (IOException e) { LOG.error("Error trying to disable table " + this.tableName, e); diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/EnableTableHandler.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/EnableTableHandler.java index 243ec2d814..2e6a10a7ee 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/EnableTableHandler.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/handler/EnableTableHandler.java @@ -150,12 +150,13 @@ public class EnableTableHandler extends EventHandler { LOG.info("Attempting to enable the table " + this.tableName); MasterCoprocessorHost cpHost = ((HMaster) this.server) .getMasterCoprocessorHost(); + // this executes within assignment manager, so not overriding user if (cpHost != null) { - cpHost.preEnableTableHandler(this.tableName); + cpHost.preEnableTableHandler(this.tableName, null); } handleEnableTable(); if (cpHost != null) { - cpHost.postEnableTableHandler(this.tableName); + cpHost.postEnableTableHandler(this.tableName, null); } } catch (IOException e) { LOG.error("Error trying to enable the table " + this.tableName, e); diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/AddColumnFamilyProcedure.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/AddColumnFamilyProcedure.java index a7e34d8bc0..a3dc1a4952 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/AddColumnFamilyProcedure.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/AddColumnFamilyProcedure.java @@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.PrivilegedExceptionAction; import java.util.List; import java.util.concurrent.atomic.AtomicBoolean; @@ -39,7 +38,7 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.AddColumnFamilyState; import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos; -import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.hbase.security.User; /** * The procedure to add a column family to an existing table. @@ -55,7 +54,7 @@ public class AddColumnFamilyProcedure private TableName tableName; private HTableDescriptor unmodifiedHTableDescriptor; private HColumnDescriptor cfDescriptor; - private UserGroupInformation user; + private User user; private List regionInfoList; private Boolean traceEnabled; @@ -70,8 +69,8 @@ public class AddColumnFamilyProcedure final HColumnDescriptor cfDescriptor) { this.tableName = tableName; this.cfDescriptor = cfDescriptor; - this.user = env.getRequestUser().getUGI(); - this.setOwner(this.user.getShortUserName()); + this.user = env.getRequestUser(); + this.setOwner(this.user.getShortName()); this.unmodifiedHTableDescriptor = null; this.regionInfoList = null; this.traceEnabled = null; @@ -375,22 +374,16 @@ public class AddColumnFamilyProcedure throws IOException, InterruptedException { final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost(); if (cpHost != null) { - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - switch (state) { - case ADD_COLUMN_FAMILY_PRE_OPERATION: - cpHost.preAddColumnHandler(tableName, cfDescriptor); - break; - case ADD_COLUMN_FAMILY_POST_OPERATION: - cpHost.postAddColumnHandler(tableName, cfDescriptor); - break; - default: - throw new UnsupportedOperationException(this + " unhandled state=" + state); - } - return null; - } - }); + switch (state) { + case ADD_COLUMN_FAMILY_PRE_OPERATION: + cpHost.preAddColumnHandler(tableName, cfDescriptor, user); + break; + case ADD_COLUMN_FAMILY_POST_OPERATION: + cpHost.postAddColumnHandler(tableName, cfDescriptor, user); + break; + default: + throw new UnsupportedOperationException(this + " unhandled state=" + state); + } } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/CreateTableProcedure.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/CreateTableProcedure.java index f3218ee64e..152af450a7 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/CreateTableProcedure.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/CreateTableProcedure.java @@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.List; import java.util.concurrent.atomic.AtomicBoolean; @@ -48,11 +47,11 @@ import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.CreateTableState; import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos; +import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.FSTableDescriptors; import org.apache.hadoop.hbase.util.FSUtils; import org.apache.hadoop.hbase.util.ModifyRegionUtils; import org.apache.hadoop.hbase.util.ServerRegionReplicaUtil; -import org.apache.hadoop.security.UserGroupInformation; import com.google.common.collect.Lists; @@ -69,7 +68,7 @@ public class CreateTableProcedure private HTableDescriptor hTableDescriptor; private List newRegions; - private UserGroupInformation user; + private User user; public CreateTableProcedure() { // Required by the Procedure framework to create the procedure on replay @@ -86,8 +85,8 @@ public class CreateTableProcedure final ProcedurePrepareLatch syncLatch) { this.hTableDescriptor = hTableDescriptor; this.newRegions = newRegions != null ? Lists.newArrayList(newRegions) : null; - this.user = env.getRequestUser().getUGI(); - this.setOwner(this.user.getShortUserName()); + this.user = env.getRequestUser(); + this.setOwner(this.user.getShortName()); // used for compatibility with clients without procedures // they need a sync TableExistsException @@ -330,13 +329,7 @@ public class CreateTableProcedure if (cpHost != null) { final HRegionInfo[] regions = newRegions == null ? null : newRegions.toArray(new HRegionInfo[newRegions.size()]); - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - cpHost.preCreateTableHandler(hTableDescriptor, regions); - return null; - } - }); + cpHost.preCreateTableHandler(hTableDescriptor, regions, user); } } @@ -346,13 +339,7 @@ public class CreateTableProcedure if (cpHost != null) { final HRegionInfo[] regions = (newRegions == null) ? null : newRegions.toArray(new HRegionInfo[newRegions.size()]); - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - cpHost.postCreateTableHandler(hTableDescriptor, regions); - return null; - } - }); + cpHost.postCreateTableHandler(hTableDescriptor, regions, user); } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteColumnFamilyProcedure.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteColumnFamilyProcedure.java index bb8a2016db..5b1a69c0ec 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteColumnFamilyProcedure.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteColumnFamilyProcedure.java @@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.PrivilegedExceptionAction; import java.util.List; import java.util.concurrent.atomic.AtomicBoolean; @@ -38,9 +37,9 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.DeleteColumnFamilyState; import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos; +import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.ByteStringer; import org.apache.hadoop.hbase.util.Bytes; -import org.apache.hadoop.security.UserGroupInformation; /** * The procedure to delete a column family from an existing table. @@ -56,7 +55,7 @@ public class DeleteColumnFamilyProcedure private HTableDescriptor unmodifiedHTableDescriptor; private TableName tableName; private byte [] familyName; - private UserGroupInformation user; + private User user; private List regionInfoList; private Boolean traceEnabled; @@ -71,8 +70,8 @@ public class DeleteColumnFamilyProcedure final byte[] familyName) { this.tableName = tableName; this.familyName = familyName; - this.user = env.getRequestUser().getUGI(); - this.setOwner(this.user.getShortUserName()); + this.user = env.getRequestUser(); + this.setOwner(this.user.getShortName()); this.unmodifiedHTableDescriptor = null; this.regionInfoList = null; this.traceEnabled = null; @@ -396,22 +395,16 @@ public class DeleteColumnFamilyProcedure final DeleteColumnFamilyState state) throws IOException, InterruptedException { final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost(); if (cpHost != null) { - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - switch (state) { - case DELETE_COLUMN_FAMILY_PRE_OPERATION: - cpHost.preDeleteColumnHandler(tableName, familyName); - break; - case DELETE_COLUMN_FAMILY_POST_OPERATION: - cpHost.postDeleteColumnHandler(tableName, familyName); - break; - default: - throw new UnsupportedOperationException(this + " unhandled state=" + state); - } - return null; - } - }); + switch (state) { + case DELETE_COLUMN_FAMILY_PRE_OPERATION: + cpHost.preDeleteColumnHandler(tableName, familyName, user); + break; + case DELETE_COLUMN_FAMILY_POST_OPERATION: + cpHost.postDeleteColumnHandler(tableName, familyName, user); + break; + default: + throw new UnsupportedOperationException(this + " unhandled state=" + state); + } } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteTableProcedure.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteTableProcedure.java index 6d27b467a6..673588de26 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteTableProcedure.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DeleteTableProcedure.java @@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure; import java.io.InputStream; import java.io.IOException; import java.io.OutputStream; -import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.List; @@ -53,8 +52,8 @@ import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.DeleteTableState; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.procedure2.StateMachineProcedure; +import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.FSUtils; -import org.apache.hadoop.security.UserGroupInformation; @InterfaceAudience.Private public class DeleteTableProcedure @@ -63,7 +62,7 @@ public class DeleteTableProcedure private static final Log LOG = LogFactory.getLog(DeleteTableProcedure.class); private List regions; - private UserGroupInformation user; + private User user; private TableName tableName; // used for compatibility with old clients @@ -81,8 +80,8 @@ public class DeleteTableProcedure public DeleteTableProcedure(final MasterProcedureEnv env, final TableName tableName, final ProcedurePrepareLatch syncLatch) { this.tableName = tableName; - this.user = env.getRequestUser().getUGI(); - this.setOwner(this.user.getShortUserName()); + this.user = env.getRequestUser(); + this.setOwner(this.user.getShortName()); // used for compatibility with clients without procedures // they need a sync TableNotFoundException, TableNotDisabledException, ... @@ -263,13 +262,7 @@ public class DeleteTableProcedure final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost(); if (cpHost != null) { final TableName tableName = this.tableName; - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - cpHost.preDeleteTableHandler(tableName); - return null; - } - }); + cpHost.preDeleteTableHandler(tableName, user); } return true; } @@ -281,13 +274,7 @@ public class DeleteTableProcedure final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost(); if (cpHost != null) { final TableName tableName = this.tableName; - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - cpHost.postDeleteTableHandler(tableName); - return null; - } - }); + cpHost.postDeleteTableHandler(tableName, user); } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DisableTableProcedure.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DisableTableProcedure.java index 185c0d0b09..bec599cbb4 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DisableTableProcedure.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/DisableTableProcedure.java @@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.PrivilegedExceptionAction; import java.util.List; import java.util.concurrent.ExecutorService; import java.util.concurrent.atomic.AtomicBoolean; @@ -47,8 +46,8 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.DisableTableState; import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos; +import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.EnvironmentEdgeManager; -import org.apache.hadoop.security.UserGroupInformation; import org.apache.htrace.Trace; @InterfaceAudience.Private @@ -64,7 +63,7 @@ public class DisableTableProcedure private TableName tableName; private boolean skipTableStateCheck; - private UserGroupInformation user; + private User user; private Boolean traceEnabled = null; @@ -99,8 +98,8 @@ public class DisableTableProcedure final boolean skipTableStateCheck, final ProcedurePrepareLatch syncLatch) { this.tableName = tableName; this.skipTableStateCheck = skipTableStateCheck; - this.user = env.getRequestUser().getUGI(); - this.setOwner(this.user.getShortUserName()); + this.user = env.getRequestUser(); + this.setOwner(this.user.getShortName()); // Compatible with 1.0: We use latch to make sure that this procedure implementation is // compatible with 1.0 asynchronized operations. We need to lock the table and check @@ -475,22 +474,16 @@ public class DisableTableProcedure throws IOException, InterruptedException { final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost(); if (cpHost != null) { - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - switch (state) { - case DISABLE_TABLE_PRE_OPERATION: - cpHost.preDisableTableHandler(tableName); - break; - case DISABLE_TABLE_POST_OPERATION: - cpHost.postDisableTableHandler(tableName); - break; - default: - throw new UnsupportedOperationException(this + " unhandled state=" + state); - } - return null; - } - }); + switch (state) { + case DISABLE_TABLE_PRE_OPERATION: + cpHost.preDisableTableHandler(tableName, user); + break; + case DISABLE_TABLE_POST_OPERATION: + cpHost.postDisableTableHandler(tableName, user); + break; + default: + throw new UnsupportedOperationException(this + " unhandled state=" + state); + } } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/EnableTableProcedure.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/EnableTableProcedure.java index 14f68e2fbc..f4a45388a5 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/EnableTableProcedure.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/EnableTableProcedure.java @@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.PrivilegedExceptionAction; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -39,7 +38,6 @@ import org.apache.hadoop.hbase.TableNotFoundException; import org.apache.hadoop.hbase.TableStateManager; import org.apache.hadoop.hbase.classification.InterfaceAudience; import org.apache.hadoop.hbase.exceptions.HBaseException; -import org.apache.hadoop.hbase.executor.EventType; import org.apache.hadoop.hbase.master.AssignmentManager; import org.apache.hadoop.hbase.master.BulkAssigner; import org.apache.hadoop.hbase.master.GeneralBulkAssigner; @@ -52,9 +50,9 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.EnableTableState; import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos; +import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.Pair; import org.apache.hadoop.hbase.zookeeper.MetaTableLocator; -import org.apache.hadoop.security.UserGroupInformation; @InterfaceAudience.Private public class EnableTableProcedure @@ -69,7 +67,7 @@ public class EnableTableProcedure private TableName tableName; private boolean skipTableStateCheck; - private UserGroupInformation user; + private User user; private Boolean traceEnabled = null; @@ -98,8 +96,8 @@ public class EnableTableProcedure final boolean skipTableStateCheck, final ProcedurePrepareLatch syncLatch) { this.tableName = tableName; this.skipTableStateCheck = skipTableStateCheck; - this.user = env.getRequestUser().getUGI(); - this.setOwner(this.user.getShortUserName()); + this.user = env.getRequestUser(); + this.setOwner(this.user.getShortName()); // Compatible with 1.0: We use latch to make sure that this procedure implementation is // compatible with 1.0 asynchronized operations. We need to lock the table and check @@ -558,22 +556,16 @@ public class EnableTableProcedure throws IOException, InterruptedException { final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost(); if (cpHost != null) { - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - switch (state) { - case ENABLE_TABLE_PRE_OPERATION: - cpHost.preEnableTableHandler(getTableName()); - break; - case ENABLE_TABLE_POST_OPERATION: - cpHost.postEnableTableHandler(getTableName()); - break; - default: - throw new UnsupportedOperationException(this + " unhandled state=" + state); - } - return null; - } - }); + switch (state) { + case ENABLE_TABLE_PRE_OPERATION: + cpHost.preEnableTableHandler(getTableName(), user); + break; + case ENABLE_TABLE_POST_OPERATION: + cpHost.postEnableTableHandler(getTableName(), user); + break; + default: + throw new UnsupportedOperationException(this + " unhandled state=" + state); + } } } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/MasterProcedureUtil.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/MasterProcedureUtil.java index 4759e7ddd4..3516c97111 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/MasterProcedureUtil.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/MasterProcedureUtil.java @@ -20,8 +20,6 @@ package org.apache.hadoop.hbase.master.procedure; import java.io.IOException; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; import org.apache.hadoop.hbase.classification.InterfaceAudience; import org.apache.hadoop.hbase.classification.InterfaceStability; import org.apache.hadoop.hbase.master.MasterServices; @@ -35,28 +33,27 @@ import org.apache.hadoop.security.UserGroupInformation; @InterfaceAudience.Private @InterfaceStability.Evolving public final class MasterProcedureUtil { - private static final Log LOG = LogFactory.getLog(MasterProcedureUtil.class); private MasterProcedureUtil() {} - public static UserInformation toProtoUserInfo(UserGroupInformation ugi) { + public static UserInformation toProtoUserInfo(User user) { UserInformation.Builder userInfoPB = UserInformation.newBuilder(); - userInfoPB.setEffectiveUser(ugi.getUserName()); - if (ugi.getRealUser() != null) { - userInfoPB.setRealUser(ugi.getRealUser().getUserName()); + userInfoPB.setEffectiveUser(user.getName()); + if (user.getUGI().getRealUser() != null) { + userInfoPB.setRealUser(user.getUGI().getRealUser().getUserName()); } return userInfoPB.build(); } - public static UserGroupInformation toUserInfo(UserInformation userInfoProto) { + public static User toUserInfo(UserInformation userInfoProto) { if (userInfoProto.hasEffectiveUser()) { String effectiveUser = userInfoProto.getEffectiveUser(); if (userInfoProto.hasRealUser()) { String realUser = userInfoProto.getRealUser(); UserGroupInformation realUserUgi = UserGroupInformation.createRemoteUser(realUser); - return UserGroupInformation.createProxyUser(effectiveUser, realUserUgi); + return User.create(UserGroupInformation.createProxyUser(effectiveUser, realUserUgi)); } - return UserGroupInformation.createRemoteUser(effectiveUser); + return User.create(UserGroupInformation.createRemoteUser(effectiveUser)); } return null; } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyColumnFamilyProcedure.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyColumnFamilyProcedure.java index 5e81dbf941..5a6b59229f 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyColumnFamilyProcedure.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyColumnFamilyProcedure.java @@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.PrivilegedExceptionAction; import java.util.List; import java.util.concurrent.atomic.AtomicBoolean; @@ -39,7 +38,7 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.ModifyColumnFamilyState; import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos; -import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.hbase.security.User; /** * The procedure to modify a column family from an existing table. @@ -55,7 +54,7 @@ public class ModifyColumnFamilyProcedure private TableName tableName; private HTableDescriptor unmodifiedHTableDescriptor; private HColumnDescriptor cfDescriptor; - private UserGroupInformation user; + private User user; private Boolean traceEnabled; @@ -68,8 +67,8 @@ public class ModifyColumnFamilyProcedure final HColumnDescriptor cfDescriptor) { this.tableName = tableName; this.cfDescriptor = cfDescriptor; - this.user = env.getRequestUser().getUGI(); - this.setOwner(this.user.getShortUserName()); + this.user = env.getRequestUser(); + this.setOwner(this.user.getShortName()); this.unmodifiedHTableDescriptor = null; this.traceEnabled = null; } @@ -356,22 +355,16 @@ public class ModifyColumnFamilyProcedure final ModifyColumnFamilyState state) throws IOException, InterruptedException { final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost(); if (cpHost != null) { - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - switch (state) { - case MODIFY_COLUMN_FAMILY_PRE_OPERATION: - cpHost.preModifyColumnHandler(tableName, cfDescriptor); - break; - case MODIFY_COLUMN_FAMILY_POST_OPERATION: - cpHost.postModifyColumnHandler(tableName, cfDescriptor); - break; - default: - throw new UnsupportedOperationException(this + " unhandled state=" + state); - } - return null; - } - }); + switch (state) { + case MODIFY_COLUMN_FAMILY_PRE_OPERATION: + cpHost.preModifyColumnHandler(tableName, cfDescriptor, user); + break; + case MODIFY_COLUMN_FAMILY_POST_OPERATION: + cpHost.postModifyColumnHandler(tableName, cfDescriptor, user); + break; + default: + throw new UnsupportedOperationException(this + " unhandled state=" + state); + } } } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyTableProcedure.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyTableProcedure.java index b04a6383f2..e78568475b 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyTableProcedure.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/ModifyTableProcedure.java @@ -21,7 +21,6 @@ package org.apache.hadoop.hbase.master.procedure; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.PrivilegedExceptionAction; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -43,14 +42,13 @@ import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.ResultScanner; import org.apache.hadoop.hbase.client.Scan; import org.apache.hadoop.hbase.client.Table; -import org.apache.hadoop.hbase.executor.EventType; import org.apache.hadoop.hbase.master.MasterCoprocessorHost; import org.apache.hadoop.hbase.procedure2.StateMachineProcedure; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.ModifyTableState; import org.apache.hadoop.hbase.protobuf.generated.ZooKeeperProtos; +import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.ServerRegionReplicaUtil; -import org.apache.hadoop.security.UserGroupInformation; @InterfaceAudience.Private public class ModifyTableProcedure @@ -62,7 +60,7 @@ public class ModifyTableProcedure private HTableDescriptor unmodifiedHTableDescriptor = null; private HTableDescriptor modifiedHTableDescriptor; - private UserGroupInformation user; + private User user; private boolean deleteColumnFamilyInModify; private List regionInfoList; @@ -75,8 +73,8 @@ public class ModifyTableProcedure public ModifyTableProcedure(final MasterProcedureEnv env, final HTableDescriptor htd) { initilize(); this.modifiedHTableDescriptor = htd; - this.user = env.getRequestUser().getUGI(); - this.setOwner(this.user.getShortUserName()); + this.user = env.getRequestUser(); + this.setOwner(this.user.getShortName()); } private void initilize() { @@ -468,22 +466,16 @@ public class ModifyTableProcedure throws IOException, InterruptedException { final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost(); if (cpHost != null) { - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - switch (state) { - case MODIFY_TABLE_PRE_OPERATION: - cpHost.preModifyTableHandler(getTableName(), modifiedHTableDescriptor); - break; - case MODIFY_TABLE_POST_OPERATION: - cpHost.postModifyTableHandler(getTableName(), modifiedHTableDescriptor); - break; - default: - throw new UnsupportedOperationException(this + " unhandled state=" + state); - } - return null; - } - }); + switch (state) { + case MODIFY_TABLE_PRE_OPERATION: + cpHost.preModifyTableHandler(getTableName(), modifiedHTableDescriptor, user); + break; + case MODIFY_TABLE_POST_OPERATION: + cpHost.postModifyTableHandler(getTableName(), modifiedHTableDescriptor, user); + break; + default: + throw new UnsupportedOperationException(this + " unhandled state=" + state); + } } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/TruncateTableProcedure.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/TruncateTableProcedure.java index 46894266a5..0feb80ae6e 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/TruncateTableProcedure.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/TruncateTableProcedure.java @@ -22,10 +22,10 @@ import com.google.common.annotations.VisibleForTesting; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Arrays; import java.util.List; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.hbase.HRegionInfo; @@ -41,8 +41,8 @@ import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos; import org.apache.hadoop.hbase.protobuf.generated.MasterProcedureProtos.TruncateTableState; +import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.ModifyRegionUtils; -import org.apache.hadoop.security.UserGroupInformation; @InterfaceAudience.Private public class TruncateTableProcedure @@ -52,7 +52,7 @@ public class TruncateTableProcedure private boolean preserveSplits; private List regions; - private UserGroupInformation user; + private User user; private HTableDescriptor hTableDescriptor; private TableName tableName; @@ -64,8 +64,8 @@ public class TruncateTableProcedure boolean preserveSplits) { this.tableName = tableName; this.preserveSplits = preserveSplits; - this.user = env.getRequestUser().getUGI(); - this.setOwner(this.user.getShortUserName()); + this.user = env.getRequestUser(); + this.setOwner(this.user.getShortName()); } @Override @@ -273,13 +273,7 @@ public class TruncateTableProcedure final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost(); if (cpHost != null) { final TableName tableName = getTableName(); - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - cpHost.preTruncateTableHandler(tableName); - return null; - } - }); + cpHost.preTruncateTableHandler(tableName, user); } return true; } @@ -289,13 +283,7 @@ public class TruncateTableProcedure final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost(); if (cpHost != null) { final TableName tableName = getTableName(); - user.doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - cpHost.postTruncateTableHandler(tableName); - return null; - } - }); + cpHost.postTruncateTableHandler(tableName, user); } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HStore.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HStore.java index 7fbfb49935..6f8c4cd1b2 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HStore.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HStore.java @@ -23,7 +23,6 @@ import java.io.InterruptedIOException; import java.net.InetSocketAddress; import java.security.Key; import java.security.KeyException; -import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -1417,23 +1416,7 @@ public class HStore implements Store { final StoreFile sf = moveFileIntoPlace(newFile); if (this.getCoprocessorHost() != null) { final Store thisStore = this; - if (user == null) { - getCoprocessorHost().postCompact(thisStore, sf, cr); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - getCoprocessorHost().postCompact(thisStore, sf, cr); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + getCoprocessorHost().postCompact(thisStore, sf, cr, user); } assert sf != null; sfs.add(sf); @@ -1639,7 +1622,7 @@ public class HStore implements Store { // Move the compaction into place. StoreFile sf = moveFileIntoPlace(newFile); if (this.getCoprocessorHost() != null) { - this.getCoprocessorHost().postCompact(this, sf, null); + this.getCoprocessorHost().postCompact(this, sf, null, null); } replaceStoreFiles(filesToCompact, Lists.newArrayList(sf)); completeCompaction(filesToCompact); @@ -1710,29 +1693,12 @@ public class HStore implements Store { this.lock.readLock().lock(); try { synchronized (filesCompacting) { - final Store thisStore = this; // First, see if coprocessor would want to override selection. if (this.getCoprocessorHost() != null) { final List candidatesForCoproc = compaction.preSelect(this.filesCompacting); boolean override = false; - if (user == null) { - override = getCoprocessorHost().preCompactSelection(this, candidatesForCoproc, - baseRequest); - } else { - try { - override = user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Boolean run() throws Exception { - return getCoprocessorHost().preCompactSelection(thisStore, candidatesForCoproc, - baseRequest); - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + override = getCoprocessorHost().preCompactSelection(this, candidatesForCoproc, + baseRequest, user); if (override) { // Coprocessor is overriding normal file selection. compaction.forceSelect(new CompactionRequest(candidatesForCoproc)); @@ -1760,25 +1726,8 @@ public class HStore implements Store { } } if (this.getCoprocessorHost() != null) { - if (user == null) { - this.getCoprocessorHost().postCompactSelection( - this, ImmutableList.copyOf(compaction.getRequest().getFiles()), baseRequest); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - getCoprocessorHost().postCompactSelection( - thisStore,ImmutableList.copyOf(compaction.getRequest().getFiles()),baseRequest); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + this.getCoprocessorHost().postCompactSelection( + this, ImmutableList.copyOf(compaction.getRequest().getFiles()), baseRequest, user); } // Selected files; see if we have a compaction with some custom base request. diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java index 3378636056..9b0c19a6d6 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java @@ -71,6 +71,7 @@ import org.apache.hadoop.hbase.io.FSDataInputStreamWrapper; import org.apache.hadoop.hbase.io.ImmutableBytesWritable; import org.apache.hadoop.hbase.io.Reference; import org.apache.hadoop.hbase.io.hfile.CacheConfig; +import org.apache.hadoop.hbase.ipc.RpcServer; import org.apache.hadoop.hbase.metrics.MetricRegistry; import org.apache.hadoop.hbase.regionserver.DeleteTracker; import org.apache.hadoop.hbase.regionserver.Region.Operation; @@ -78,6 +79,7 @@ import org.apache.hadoop.hbase.regionserver.compactions.CompactionRequest; import org.apache.hadoop.hbase.regionserver.wal.HLogKey; import org.apache.hadoop.hbase.wal.WALKey; import org.apache.hadoop.hbase.regionserver.wal.WALEdit; +import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.CoprocessorClassLoader; import org.apache.hadoop.hbase.util.Pair; @@ -537,9 +539,9 @@ public class RegionCoprocessorHost */ public InternalScanner preCompactScannerOpen(final Store store, final List scanners, final ScanType scanType, final long earliestPutTs, - final CompactionRequest request, final long readPoint) throws IOException { + final CompactionRequest request, final long readPoint, final User user) throws IOException { return execOperationWithResult(null, - coprocessors.isEmpty() ? null : new RegionOperationWithResult() { + coprocessors.isEmpty() ? null : new RegionOperationWithResult(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -559,8 +561,8 @@ public class RegionCoprocessorHost * @throws IOException */ public boolean preCompactSelection(final Store store, final List candidates, - final CompactionRequest request) throws IOException { - return execOperation(coprocessors.isEmpty() ? null : new RegionOperation() { + final CompactionRequest request, final User user) throws IOException { + return execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -577,9 +579,9 @@ public class RegionCoprocessorHost * @param request custom compaction */ public void postCompactSelection(final Store store, final ImmutableList selected, - final CompactionRequest request) { + final CompactionRequest request, final User user) { try { - execOperation(coprocessors.isEmpty() ? null : new RegionOperation() { + execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -600,9 +602,10 @@ public class RegionCoprocessorHost * @throws IOException */ public InternalScanner preCompact(final Store store, final InternalScanner scanner, - final ScanType scanType, final CompactionRequest request) throws IOException { + final ScanType scanType, final CompactionRequest request, final User user) + throws IOException { return execOperationWithResult(false, scanner, - coprocessors.isEmpty() ? null : new RegionOperationWithResult() { + coprocessors.isEmpty() ? null : new RegionOperationWithResult(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -619,8 +622,8 @@ public class RegionCoprocessorHost * @throws IOException */ public void postCompact(final Store store, final StoreFile resultFile, - final CompactionRequest request) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new RegionOperation() { + final CompactionRequest request, final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -709,8 +712,8 @@ public class RegionCoprocessorHost * @throws IOException */ // TODO: Deprecate this - public void preSplit() throws IOException { - execOperation(coprocessors.isEmpty() ? null : new RegionOperation() { + public void preSplit(final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -723,8 +726,8 @@ public class RegionCoprocessorHost * Invoked just before a split * @throws IOException */ - public void preSplit(final byte[] splitRow) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new RegionOperation() { + public void preSplit(final byte[] splitRow, final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -739,8 +742,8 @@ public class RegionCoprocessorHost * @param r the new right-hand daughter region * @throws IOException */ - public void postSplit(final Region l, final Region r) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new RegionOperation() { + public void postSplit(final Region l, final Region r, final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -750,8 +753,8 @@ public class RegionCoprocessorHost } public boolean preSplitBeforePONR(final byte[] splitKey, - final List metaEntries) throws IOException { - return execOperation(coprocessors.isEmpty() ? null : new RegionOperation() { + final List metaEntries, final User user) throws IOException { + return execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -760,8 +763,8 @@ public class RegionCoprocessorHost }); } - public void preSplitAfterPONR() throws IOException { - execOperation(coprocessors.isEmpty() ? null : new RegionOperation() { + public void preSplitAfterPONR(final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -774,8 +777,8 @@ public class RegionCoprocessorHost * Invoked just before the rollback of a failed split is started * @throws IOException */ - public void preRollBackSplit() throws IOException { - execOperation(coprocessors.isEmpty() ? null : new RegionOperation() { + public void preRollBackSplit(final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -788,8 +791,8 @@ public class RegionCoprocessorHost * Invoked just after the rollback of a failed split is done * @throws IOException */ - public void postRollBackSplit() throws IOException { - execOperation(coprocessors.isEmpty() ? null : new RegionOperation() { + public void postRollBackSplit(final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new RegionOperation(user) { @Override public void call(RegionObserver oserver, ObserverContext ctx) throws IOException { @@ -1690,6 +1693,14 @@ public class RegionCoprocessorHost private static abstract class CoprocessorOperation extends ObserverContext { + public CoprocessorOperation() { + this(RpcServer.getRequestUser()); + } + + public CoprocessorOperation(User user) { + super(user); + } + public abstract void call(Coprocessor observer, ObserverContext ctx) throws IOException; public abstract boolean hasCall(Coprocessor observer); @@ -1697,6 +1708,13 @@ public class RegionCoprocessorHost } private static abstract class RegionOperation extends CoprocessorOperation { + public RegionOperation() { + } + + public RegionOperation(User user) { + super(user); + } + public abstract void call(RegionObserver observer, ObserverContext ctx) throws IOException; @@ -1713,6 +1731,13 @@ public class RegionCoprocessorHost } private static abstract class RegionOperationWithResult extends RegionOperation { + public RegionOperationWithResult() { + } + + public RegionOperationWithResult(User user) { + super (user); + } + private T result = null; public void setResult(final T result) { this.result = result; } public T getResult() { return this.result; } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionMergeTransactionImpl.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionMergeTransactionImpl.java index 03aa059e30..ff0d7a19ac 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionMergeTransactionImpl.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionMergeTransactionImpl.java @@ -19,8 +19,6 @@ package org.apache.hadoop.hbase.regionserver; import java.io.IOException; -import java.io.InterruptedIOException; -import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.List; import java.util.ListIterator; @@ -277,23 +275,7 @@ public class RegionMergeTransactionImpl implements RegionMergeTransaction { } final HRegion mergedRegion = createMergedRegion(server, services, user); if (rsCoprocessorHost != null) { - if (user == null) { - rsCoprocessorHost.postMergeCommit(this.region_a, this.region_b, mergedRegion); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - rsCoprocessorHost.postMergeCommit(region_a, region_b, mergedRegion); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + rsCoprocessorHost.postMergeCommit(this.region_a, this.region_b, mergedRegion, user); } stepsAfterPONR(server, services, mergedRegion, user); @@ -317,23 +299,7 @@ public class RegionMergeTransactionImpl implements RegionMergeTransaction { mergedRegionInfo, region_a, region_b, rmd, mergedRegion); } if (rsCoprocessorHost != null) { - if (user == null) { - rsCoprocessorHost.postMerge(region_a, region_b, mergedRegion); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - rsCoprocessorHost.postMerge(region_a, region_b, mergedRegion); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + rsCoprocessorHost.postMerge(region_a, region_b, mergedRegion, user); } } @@ -355,23 +321,7 @@ public class RegionMergeTransactionImpl implements RegionMergeTransaction { } if (rsCoprocessorHost != null) { - boolean ret = false; - if (user == null) { - ret = rsCoprocessorHost.preMerge(region_a, region_b); - } else { - try { - ret = user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Boolean run() throws Exception { - return rsCoprocessorHost.preMerge(region_a, region_b); - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + boolean ret = rsCoprocessorHost.preMerge(region_a, region_b, user); if (ret) { throw new IOException("Coprocessor bypassing regions " + this.region_a + " " + this.region_b + " merge."); @@ -387,23 +337,7 @@ public class RegionMergeTransactionImpl implements RegionMergeTransaction { @MetaMutationAnnotation final List metaEntries = new ArrayList(); if (rsCoprocessorHost != null) { - boolean ret = false; - if (user == null) { - ret = rsCoprocessorHost.preMergeCommit(region_a, region_b, metaEntries); - } else { - try { - ret = user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Boolean run() throws Exception { - return rsCoprocessorHost.preMergeCommit(region_a, region_b, metaEntries); - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + boolean ret = rsCoprocessorHost.preMergeCommit(region_a, region_b, metaEntries, user); if (ret) { throw new IOException("Coprocessor bypassing regions " + this.region_a + " " @@ -781,23 +715,7 @@ public class RegionMergeTransactionImpl implements RegionMergeTransaction { assert this.mergedRegionInfo != null; // Coprocessor callback if (rsCoprocessorHost != null) { - if (user == null) { - rsCoprocessorHost.preRollBackMerge(region_a, region_b); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - rsCoprocessorHost.preRollBackMerge(region_a, region_b); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + rsCoprocessorHost.preRollBackMerge(region_a, region_b, user); } boolean result = true; @@ -885,23 +803,7 @@ public class RegionMergeTransactionImpl implements RegionMergeTransaction { } // Coprocessor callback if (rsCoprocessorHost != null) { - if (user == null) { - rsCoprocessorHost.postRollBackMerge(region_a, region_b); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - rsCoprocessorHost.postRollBackMerge(region_a, region_b); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + rsCoprocessorHost.postRollBackMerge(region_a, region_b, user); } return result; diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java index 1b64ab81a0..2fe8412c06 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerCoprocessorHost.java @@ -98,8 +98,8 @@ public class RegionServerCoprocessorHost extends }); } - public boolean preMerge(final HRegion regionA, final HRegion regionB) throws IOException { - return execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public boolean preMerge(final HRegion regionA, final HRegion regionB, final User user) throws IOException { + return execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(RegionServerObserver oserver, ObserverContext ctx) throws IOException { @@ -108,9 +108,10 @@ public class RegionServerCoprocessorHost extends }); } - public void postMerge(final HRegion regionA, final HRegion regionB, final HRegion mergedRegion) + public void postMerge(final HRegion regionA, final HRegion regionB, final HRegion mergedRegion, + final User user) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(RegionServerObserver oserver, ObserverContext ctx) throws IOException { @@ -120,8 +121,9 @@ public class RegionServerCoprocessorHost extends } public boolean preMergeCommit(final HRegion regionA, final HRegion regionB, - final @MetaMutationAnnotation List metaEntries) throws IOException { - return execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + final @MetaMutationAnnotation List metaEntries, final User user) + throws IOException { + return execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(RegionServerObserver oserver, ObserverContext ctx) throws IOException { @@ -131,8 +133,8 @@ public class RegionServerCoprocessorHost extends } public void postMergeCommit(final HRegion regionA, final HRegion regionB, - final HRegion mergedRegion) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + final HRegion mergedRegion, final User user) throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(RegionServerObserver oserver, ObserverContext ctx) throws IOException { @@ -141,8 +143,9 @@ public class RegionServerCoprocessorHost extends }); } - public void preRollBackMerge(final HRegion regionA, final HRegion regionB) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void preRollBackMerge(final HRegion regionA, final HRegion regionB, final User user) + throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(RegionServerObserver oserver, ObserverContext ctx) throws IOException { @@ -151,8 +154,9 @@ public class RegionServerCoprocessorHost extends }); } - public void postRollBackMerge(final HRegion regionA, final HRegion regionB) throws IOException { - execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation() { + public void postRollBackMerge(final HRegion regionA, final HRegion regionB, final User user) + throws IOException { + execOperation(coprocessors.isEmpty() ? null : new CoprocessorOperation(user) { @Override public void call(RegionServerObserver oserver, ObserverContext ctx) throws IOException { @@ -227,6 +231,11 @@ public class RegionServerCoprocessorHost extends private static abstract class CoprocessorOperation extends ObserverContext { public CoprocessorOperation() { + this(RpcServer.getRequestUser()); + } + + public CoprocessorOperation(User user) { + super(user); } public abstract void call(RegionServerObserver oserver, diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/SplitTransactionImpl.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/SplitTransactionImpl.java index f9a5d312bb..ebdcd173bf 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/SplitTransactionImpl.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/SplitTransactionImpl.java @@ -20,7 +20,6 @@ package org.apache.hadoop.hbase.regionserver; import java.io.IOException; import java.io.InterruptedIOException; -import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.List; import java.util.ListIterator; @@ -244,26 +243,9 @@ public class SplitTransactionImpl implements SplitTransaction { // Coprocessor callback if (this.parent.getCoprocessorHost() != null) { - if (user == null) { - // TODO: Remove one of these - parent.getCoprocessorHost().preSplit(); - parent.getCoprocessorHost().preSplit(splitrow); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - parent.getCoprocessorHost().preSplit(); - parent.getCoprocessorHost().preSplit(splitrow); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + // TODO: Remove one of these + parent.getCoprocessorHost().preSplit(user); + parent.getCoprocessorHost().preSplit(splitrow, user); } transition(SplitTransactionPhase.AFTER_PRE_SPLIT_HOOK); @@ -280,22 +262,7 @@ public class SplitTransactionImpl implements SplitTransaction { final List metaEntries = new ArrayList(); boolean ret = false; if (this.parent.getCoprocessorHost() != null) { - if (user == null) { - ret = parent.getCoprocessorHost().preSplitBeforePONR(splitrow, metaEntries); - } else { - try { - ret = user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Boolean run() throws Exception { - return parent.getCoprocessorHost().preSplitBeforePONR(splitrow, metaEntries); - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + ret = parent.getCoprocessorHost().preSplitBeforePONR(splitrow, metaEntries, user); if (ret) { throw new IOException("Coprocessor bypassing region " + this.parent.getRegionInfo().getRegionNameAsString() + " split."); @@ -560,23 +527,7 @@ public class SplitTransactionImpl implements SplitTransaction { } PairOfSameType regions = createDaughters(server, services, user); if (this.parent.getCoprocessorHost() != null) { - if (user == null) { - parent.getCoprocessorHost().preSplitAfterPONR(); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - parent.getCoprocessorHost().preSplitAfterPONR(); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + parent.getCoprocessorHost().preSplitAfterPONR(user); } regions = stepsAfterPONR(server, services, regions, user); @@ -606,23 +557,7 @@ public class SplitTransactionImpl implements SplitTransaction { // Coprocessor callback if (parent.getCoprocessorHost() != null) { - if (user == null) { - this.parent.getCoprocessorHost().postSplit(regions.getFirst(), regions.getSecond()); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - parent.getCoprocessorHost().postSplit(regions.getFirst(), regions.getSecond()); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + this.parent.getCoprocessorHost().postSplit(regions.getFirst(), regions.getSecond(), user); } transition(SplitTransactionPhase.AFTER_POST_SPLIT_HOOK); @@ -915,23 +850,7 @@ public class SplitTransactionImpl implements SplitTransaction { throws IOException { // Coprocessor callback if (this.parent.getCoprocessorHost() != null) { - if (user == null) { - this.parent.getCoprocessorHost().preRollBackSplit(); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - parent.getCoprocessorHost().preRollBackSplit(); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + this.parent.getCoprocessorHost().preRollBackSplit(user); } boolean result = true; @@ -1013,23 +932,7 @@ public class SplitTransactionImpl implements SplitTransaction { } // Coprocessor callback if (this.parent.getCoprocessorHost() != null) { - if (user == null) { - this.parent.getCoprocessorHost().postRollBackSplit(); - } else { - try { - user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public Void run() throws Exception { - parent.getCoprocessorHost().postRollBackSplit(); - return null; - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + this.parent.getCoprocessorHost().postRollBackSplit(user); } return result; } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/Compactor.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/Compactor.java index b7d27de6a7..62701f320b 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/Compactor.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/Compactor.java @@ -19,7 +19,6 @@ package org.apache.hadoop.hbase.regionserver.compactions; import java.io.IOException; import java.io.InterruptedIOException; -import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -364,24 +363,8 @@ public abstract class Compactor { if (store.getCoprocessorHost() == null) { return null; } - if (user == null) { - return store.getCoprocessorHost().preCompactScannerOpen(store, scanners, scanType, - earliestPutTs, request, readPoint); - } else { - try { - return user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public InternalScanner run() throws Exception { - return store.getCoprocessorHost().preCompactScannerOpen(store, scanners, - scanType, earliestPutTs, request, readPoint); - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + return store.getCoprocessorHost().preCompactScannerOpen(store, scanners, scanType, + earliestPutTs, request, readPoint, user); } /** @@ -396,22 +379,7 @@ public abstract class Compactor { if (store.getCoprocessorHost() == null) { return scanner; } - if (user == null) { - return store.getCoprocessorHost().preCompact(store, scanner, scanType, request); - } else { - try { - return user.getUGI().doAs(new PrivilegedExceptionAction() { - @Override - public InternalScanner run() throws Exception { - return store.getCoprocessorHost().preCompact(store, scanner, scanType, request); - } - }); - } catch (InterruptedException ie) { - InterruptedIOException iioe = new InterruptedIOException(); - iioe.initCause(ie); - throw iioe; - } - } + return store.getCoprocessorHost().preCompact(store, scanner, scanType, request, user); } /** diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 87b79477ad..1c7db7dea1 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -19,7 +19,6 @@ package org.apache.hadoop.hbase.security.access; import java.io.IOException; -import java.net.InetAddress; import java.security.PrivilegedExceptionAction; import java.util.Collection; import java.util.HashMap; @@ -37,7 +36,6 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.Cell; import org.apache.hadoop.hbase.CellScanner; import org.apache.hadoop.hbase.CellUtil; -import org.apache.hadoop.hbase.ClusterStatus; import org.apache.hadoop.hbase.CompoundConfiguration; import org.apache.hadoop.hbase.CoprocessorEnvironment; import org.apache.hadoop.hbase.DoNotRetryIOException; @@ -402,8 +400,8 @@ public class AccessController extends BaseMasterAndRegionObserver * If we are in the context of an RPC call, the remote user is used, * otherwise the currently logged in user is used. */ - private User getActiveUser() throws IOException { - User user = RpcServer.getRequestUser(); + private User getActiveUser(ObserverContext ctx) throws IOException { + User user = ctx.getCaller(); if (user == null) { // for non-rpc handling, fallback to system user user = userProvider.getCurrent(); @@ -414,101 +412,118 @@ public class AccessController extends BaseMasterAndRegionObserver /** * Authorizes that the current user has any of the given permissions for the * given table, column family and column qualifier. + * @param user the user + * @param request the request * @param tableName Table requested * @param family Column family requested * @param qualifier Column qualifier requested * @throws IOException if obtaining the current user fails * @throws AccessDeniedException if user has no authorization */ - public void requirePermission(String request, TableName tableName, byte[] family, + public void requirePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, Action... permissions) throws IOException { - accessChecker.requirePermission(getActiveUser(), request, + accessChecker.requirePermission(user, request, tableName, family, qualifier, permissions); } /** * Authorizes that the current user has any of the given permissions for the * given table, column family and column qualifier. + * @param user The active user + * @param request The request * @param tableName Table requested * @param family Column family param * @param qualifier Column qualifier param * @throws IOException if obtaining the current user fails * @throws AccessDeniedException if user has no authorization */ - public void requireTablePermission(String request, TableName tableName, byte[] family, + public void requireTablePermission(User user, String request, TableName tableName, byte[] family, byte[] qualifier, Action... permissions) throws IOException { - accessChecker.requireTablePermission(getActiveUser(), request, + accessChecker.requireTablePermission(user, request, tableName, family, qualifier, permissions); } /** * Authorizes that the current user has any of the given permissions to access the table. - * + * @param user The active user + * @param request The request * @param tableName Table requested * @param permissions Actions being requested * @throws IOException if obtaining the current user fails * @throws AccessDeniedException if user has no authorization */ - public void requireAccess(String request, TableName tableName, + public void requireAccess(User user, String request, TableName tableName, Action... permissions) throws IOException { - accessChecker.requireAccess(getActiveUser(), request, tableName, permissions); + accessChecker.requireAccess(user, request, tableName, permissions); } /** * Authorizes that the current user has global privileges for the given action. + * @param user The active user + * @param request The request * @param perm The action being requested * @throws IOException if obtaining the current user fails * @throws AccessDeniedException if authorization is denied */ - public void requirePermission(String request, Action perm) throws IOException { - accessChecker.requirePermission(getActiveUser(), request, perm); + public void requirePermission(User user, String request, Action perm) throws IOException { + accessChecker.requirePermission(user, request, perm); } /** * Checks that the user has the given global permission. The generated * audit log message will contain context information for the operation * being authorized, based on the given parameters. + * @param user The active user + * @param request The request * @param perm Action being requested * @param tableName Affected table name. * @param familyMap Affected column families. */ - public void requireGlobalPermission(String request, Action perm, TableName tableName, + public void requireGlobalPermission(User user, String request, Action perm, TableName tableName, Map> familyMap) throws IOException { - accessChecker.requireGlobalPermission(getActiveUser(), request, perm, tableName, familyMap); + accessChecker.requireGlobalPermission(user, request, perm, tableName, familyMap); } /** * Checks that the user has the given global permission. The generated * audit log message will contain context information for the operation * being authorized, based on the given parameters. + * @param user The active user + * @param request The request * @param perm Action being requested * @param namespace The given namespace */ - public void requireGlobalPermission(String request, Action perm, + public void requireGlobalPermission(User user, String request, Action perm, String namespace) throws IOException { - accessChecker.requireGlobalPermission(getActiveUser(), request, perm, namespace); + accessChecker.requireGlobalPermission(user, request, perm, namespace); } /** * Checks that the user has the given global or namespace permission. + * @param user The active user + * @param request The request * @param namespace The given namespace * @param permissions Actions being requested */ - public void requireNamespacePermission(String request, String namespace, + public void requireNamespacePermission(User user, String request, String namespace, Action... permissions) throws IOException { - accessChecker.requireNamespacePermission(getActiveUser(), request, namespace, permissions); + accessChecker.requireNamespacePermission(user, request, namespace, permissions); } /** * Checks that the user has the given global or namespace permission. - * @param namespace The given namespace + * @param user The active user + * @param request The request + * @param namespace The given namespace + * @param tableName The table + * @param familyMap The family map * @param permissions Actions being requested */ - public void requireNamespacePermission(String request, String namespace, TableName tableName, - Map> familyMap, Action... permissions) - throws IOException { - accessChecker.requireNamespacePermission(getActiveUser(), request, namespace, - tableName, familyMap, permissions); + public void requireNamespacePermission(User user, String request, String namespace, + TableName tableName, Map> familyMap, + Action... permissions) throws IOException { + accessChecker.requireNamespacePermission(user, request, namespace, tableName, familyMap, + permissions); } /** @@ -582,14 +597,13 @@ public class AccessController extends BaseMasterAndRegionObserver * @return false if cell ACLs failed to grant access, true otherwise * @throws IOException */ - private boolean checkCoveringPermission(OpType request, RegionCoprocessorEnvironment e, + private boolean checkCoveringPermission(User user, OpType request, RegionCoprocessorEnvironment e, byte[] row, Map> familyMap, long opTs, Action... actions) throws IOException { if (!cellFeaturesEnabled) { return false; } long cellGrants = 0; - User user = getActiveUser(); long latestCellTs = 0; Get get = new Get(row); // Only in case of Put/Delete op, consider TS within cell (if set for individual cells). @@ -864,8 +878,8 @@ public class AccessController extends BaseMasterAndRegionObserver for (byte[] family: families) { familyMap.put(family, null); } - requireNamespacePermission("createTable", desc.getTableName().getNamespaceAsString(), - desc.getTableName(), familyMap, Action.CREATE); + requireNamespacePermission(getActiveUser(c), "createTable", + desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE); } @Override @@ -897,7 +911,7 @@ public class AccessController extends BaseMasterAndRegionObserver String owner = desc.getOwnerString(); // default the table owner to current user, if not specified. if (owner == null) - owner = getActiveUser().getShortName(); + owner = getActiveUser(c).getShortName(); final UserPermission userperm = new UserPermission(Bytes.toBytes(owner), desc.getTableName(), null, Action.values()); // switch to the real hbase master user for doing the RPC on the ACL table @@ -916,7 +930,8 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preDeleteTable(ObserverContext c, TableName tableName) throws IOException { - requirePermission("deleteTable", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission(getActiveUser(c), "deleteTable", tableName, null, null, + Action.ADMIN, Action.CREATE); } @Override @@ -937,7 +952,8 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preTruncateTable(ObserverContext c, final TableName tableName) throws IOException { - requirePermission("truncateTable", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission(getActiveUser(c), "truncateTable", tableName, null, null, + Action.ADMIN, Action.CREATE); final Configuration conf = c.getEnvironment().getConfiguration(); User.runAsLoginUser(new PrivilegedExceptionAction() { @@ -975,7 +991,8 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preModifyTable(ObserverContext c, TableName tableName, HTableDescriptor htd) throws IOException { - requirePermission("modifyTable", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission(getActiveUser(c), "modifyTable", tableName, null, null, + Action.ADMIN, Action.CREATE); } @Override @@ -984,7 +1001,7 @@ public class AccessController extends BaseMasterAndRegionObserver final Configuration conf = c.getEnvironment().getConfiguration(); // default the table owner to current user, if not specified. final String owner = (htd.getOwnerString() != null) ? htd.getOwnerString() : - getActiveUser().getShortName(); + getActiveUser(c).getShortName(); User.runAsLoginUser(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -1000,21 +1017,22 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preAddColumn(ObserverContext c, TableName tableName, HColumnDescriptor column) throws IOException { - requireTablePermission("addColumn", tableName, column.getName(), null, Action.ADMIN, - Action.CREATE); + requireTablePermission(getActiveUser(c), "addColumn", tableName, column.getName(), null, + Action.ADMIN, Action.CREATE); } @Override public void preModifyColumn(ObserverContext c, TableName tableName, HColumnDescriptor descriptor) throws IOException { - requirePermission("modifyColumn", tableName, descriptor.getName(), null, Action.ADMIN, - Action.CREATE); + requirePermission(getActiveUser(c), "modifyColumn", tableName, descriptor.getName(), null, + Action.ADMIN, Action.CREATE); } @Override public void preDeleteColumn(ObserverContext c, TableName tableName, byte[] col) throws IOException { - requirePermission("deleteColumn", tableName, col, null, Action.ADMIN, Action.CREATE); + requirePermission(getActiveUser(c), "deleteColumn", tableName, col, null, Action.ADMIN, + Action.CREATE); } @Override @@ -1034,7 +1052,8 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preEnableTable(ObserverContext c, TableName tableName) throws IOException { - requirePermission("enableTable", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission(getActiveUser(c), "enableTable", tableName, null, null, + Action.ADMIN, Action.CREATE); } @Override @@ -1048,7 +1067,8 @@ public class AccessController extends BaseMasterAndRegionObserver throw new AccessDeniedException("Not allowed to disable " + AccessControlLists.ACL_TABLE_NAME + " table with AccessController installed"); } - requirePermission("disableTable", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission(getActiveUser(c), "disableTable", tableName, null, null, + Action.ADMIN, Action.CREATE); } @Override @@ -1056,10 +1076,10 @@ public class AccessController extends BaseMasterAndRegionObserver ObserverContext ctx, final ProcedureExecutor procEnv, final long procId) throws IOException { - if (!procEnv.isProcedureOwner(procId, getActiveUser())) { + if (!procEnv.isProcedureOwner(procId, getActiveUser(ctx))) { // If the user is not the procedure owner, then we should further probe whether // he can abort the procedure. - requirePermission("abortProcedure", Action.ADMIN); + requirePermission(getActiveUser(ctx), "abortProcedure", Action.ADMIN); } } @@ -1087,14 +1107,14 @@ public class AccessController extends BaseMasterAndRegionObserver // Retains only those which passes authorization checks, as the checks weren't done as part // of preListProcedures. Iterator itr = procInfoList.iterator(); - User user = getActiveUser(); + User user = getActiveUser(ctx); while (itr.hasNext()) { ProcedureInfo procInfo = itr.next(); try { if (!ProcedureInfo.isProcedureOwner(procInfo, user)) { // If the user is not the procedure owner, then we should further probe whether // he can see the procedure. - requirePermission("listProcedures", Action.ADMIN); + requirePermission(user, "listProcedures", Action.ADMIN); } } catch (AccessDeniedException e) { itr.remove(); @@ -1105,31 +1125,32 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preMove(ObserverContext c, HRegionInfo region, ServerName srcServer, ServerName destServer) throws IOException { - requirePermission("move", region.getTable(), null, null, Action.ADMIN); + requirePermission(getActiveUser(c), "move", region.getTable(), null, null, Action.ADMIN); } @Override public void preAssign(ObserverContext c, HRegionInfo regionInfo) throws IOException { - requirePermission("assign", regionInfo.getTable(), null, null, Action.ADMIN); + requirePermission(getActiveUser(c), "assign", regionInfo.getTable(), null, null, Action.ADMIN); } @Override public void preUnassign(ObserverContext c, HRegionInfo regionInfo, boolean force) throws IOException { - requirePermission("unassign", regionInfo.getTable(), null, null, Action.ADMIN); + requirePermission(getActiveUser(c), "unassign", regionInfo.getTable(), null, null, Action.ADMIN); } @Override public void preRegionOffline(ObserverContext c, HRegionInfo regionInfo) throws IOException { - requirePermission("regionOffline", regionInfo.getTable(), null, null, Action.ADMIN); + requirePermission(getActiveUser(c), "regionOffline", regionInfo.getTable(), null, null, + Action.ADMIN); } @Override public boolean preSetSplitOrMergeEnabled(final ObserverContext ctx, final boolean newValue, final Admin.MasterSwitchType switchType) throws IOException { - requirePermission("setSplitOrMergeEnabled", Action.ADMIN); + requirePermission(getActiveUser(ctx), "setSplitOrMergeEnabled", Action.ADMIN); return false; } @@ -1141,26 +1162,26 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preBalance(ObserverContext c) throws IOException { - requirePermission("balance", Action.ADMIN); + requirePermission(getActiveUser(c), "balance", Action.ADMIN); } @Override public boolean preBalanceSwitch(ObserverContext c, boolean newValue) throws IOException { - requirePermission("balanceSwitch", Action.ADMIN); + requirePermission(getActiveUser(c), "balanceSwitch", Action.ADMIN); return newValue; } @Override public void preShutdown(ObserverContext c) throws IOException { - requirePermission("shutdown", Action.ADMIN); + requirePermission(getActiveUser(c), "shutdown", Action.ADMIN); } @Override public void preStopMaster(ObserverContext c) throws IOException { - requirePermission("stopMaster", Action.ADMIN); + requirePermission(getActiveUser(c), "stopMaster", Action.ADMIN); } @Override @@ -1179,21 +1200,21 @@ public class AccessController extends BaseMasterAndRegionObserver public void preSnapshot(final ObserverContext ctx, final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { - requirePermission("snapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null, + requirePermission(getActiveUser(ctx), "snapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN); } @Override public void preListSnapshot(ObserverContext ctx, final SnapshotDescription snapshot) throws IOException { - User user = getActiveUser(); + User user = getActiveUser(ctx); if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) { // list it, if user is the owner of snapshot AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(), "Snapshot owner check allowed", user, null, null, null); accessChecker.logResult(result); } else { - requirePermission("listSnapshot " + snapshot.getName(), Action.ADMIN); + requirePermission(user, "listSnapshot " + snapshot.getName(), Action.ADMIN); } } @@ -1201,7 +1222,7 @@ public class AccessController extends BaseMasterAndRegionObserver public void preCloneSnapshot(final ObserverContext ctx, final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { - User user = getActiveUser(); + User user = getActiveUser(ctx); if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user) && hTableDescriptor.getNameAsString().equals(snapshot.getTable())) { // Snapshot owner is allowed to create a table with the same name as the snapshot he took @@ -1209,7 +1230,7 @@ public class AccessController extends BaseMasterAndRegionObserver "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null); accessChecker.logResult(result); } else { - requirePermission("cloneSnapshot " + snapshot.getName(), Action.ADMIN); + requirePermission(user, "cloneSnapshot " + snapshot.getName(), Action.ADMIN); } } @@ -1217,38 +1238,39 @@ public class AccessController extends BaseMasterAndRegionObserver public void preRestoreSnapshot(final ObserverContext ctx, final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { - if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, getActiveUser())) { - requirePermission("restoreSnapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null, - Permission.Action.ADMIN); + User user = getActiveUser(ctx); + if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) { + requirePermission(user, "restoreSnapshot " + snapshot.getName(), + hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN); } else { - requirePermission("restoreSnapshot " + snapshot.getName(), Action.ADMIN); + requirePermission(user, "restoreSnapshot " + snapshot.getName(), Action.ADMIN); } } @Override public void preDeleteSnapshot(final ObserverContext ctx, final SnapshotDescription snapshot) throws IOException { - User user = getActiveUser(); + User user = getActiveUser(ctx); if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) { // Snapshot owner is allowed to delete the snapshot AuthResult result = AuthResult.allow("deleteSnapshot " + snapshot.getName(), "Snapshot owner check allowed", user, null, null, null); accessChecker.logResult(result); } else { - requirePermission("deleteSnapshot " + snapshot.getName(), Action.ADMIN); + requirePermission(user, "deleteSnapshot", Action.ADMIN); } } @Override public void preCreateNamespace(ObserverContext ctx, NamespaceDescriptor ns) throws IOException { - requireGlobalPermission("createNamespace", Action.ADMIN, ns.getName()); + requireGlobalPermission(getActiveUser(ctx), "createNamespace", Action.ADMIN, ns.getName()); } @Override public void preDeleteNamespace(ObserverContext ctx, String namespace) throws IOException { - requireGlobalPermission("deleteNamespace", Action.ADMIN, namespace); + requireGlobalPermission(getActiveUser(ctx), "deleteNamespace", Action.ADMIN, namespace); } @Override @@ -1272,13 +1294,13 @@ public class AccessController extends BaseMasterAndRegionObserver NamespaceDescriptor ns) throws IOException { // We require only global permission so that // a user with NS admin cannot altering namespace configurations. i.e. namespace quota - requireGlobalPermission("modifyNamespace", Action.ADMIN, ns.getName()); + requireGlobalPermission(getActiveUser(ctx), "modifyNamespace", Action.ADMIN, ns.getName()); } @Override public void preGetNamespaceDescriptor(ObserverContext ctx, String namespace) throws IOException { - requireNamespacePermission("getNamespaceDescriptor", namespace, Action.ADMIN); + requireNamespacePermission(getActiveUser(ctx), "getNamespaceDescriptor", namespace, Action.ADMIN); } @Override @@ -1287,10 +1309,11 @@ public class AccessController extends BaseMasterAndRegionObserver // Retains only those which passes authorization checks, as the checks weren't done as part // of preGetTableDescriptors. Iterator itr = descriptors.iterator(); + User user = getActiveUser(ctx); while (itr.hasNext()) { NamespaceDescriptor desc = itr.next(); try { - requireNamespacePermission("listNamespaces", desc.getName(), Action.ADMIN); + requireNamespacePermission(user, "listNamespaces", desc.getName(), Action.ADMIN); } catch (AccessDeniedException e) { itr.remove(); } @@ -1300,24 +1323,25 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preTableFlush(final ObserverContext ctx, final TableName tableName) throws IOException { - requirePermission("flushTable", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission(getActiveUser(ctx), "flushTable", tableName, null, null, + Action.ADMIN, Action.CREATE); } /* ---- RegionObserver implementation ---- */ @Override - public void preOpen(ObserverContext e) + public void preOpen(ObserverContext c) throws IOException { - RegionCoprocessorEnvironment env = e.getEnvironment(); + RegionCoprocessorEnvironment env = c.getEnvironment(); final Region region = env.getRegion(); if (region == null) { LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()"); } else { HRegionInfo regionInfo = region.getRegionInfo(); if (regionInfo.getTable().isSystemTable()) { - checkSystemOrSuperUser(); + checkSystemOrSuperUser(getActiveUser(c)); } else { - requirePermission("preOpen", Action.ADMIN); + requirePermission(getActiveUser(c), "preOpen", Action.ADMIN); } } } @@ -1361,28 +1385,30 @@ public class AccessController extends BaseMasterAndRegionObserver } @Override - public void preFlush(ObserverContext e) throws IOException { - requirePermission("flush", getTableName(e.getEnvironment()), null, null, Action.ADMIN, - Action.CREATE); + public void preFlush(ObserverContext c) throws IOException { + requirePermission(getActiveUser(c), "flush", getTableName(c.getEnvironment()), null, null, + Action.ADMIN, Action.CREATE); } @Override - public void preSplit(ObserverContext e) throws IOException { - requirePermission("split", getTableName(e.getEnvironment()), null, null, Action.ADMIN); + public void preSplit(ObserverContext c) throws IOException { + requirePermission(getActiveUser(c), "split", getTableName(c.getEnvironment()), null, null, + Action.ADMIN); } @Override - public void preSplit(ObserverContext e, + public void preSplit(ObserverContext c, byte[] splitRow) throws IOException { - requirePermission("split", getTableName(e.getEnvironment()), null, null, Action.ADMIN); + requirePermission(getActiveUser(c), "split", getTableName(c.getEnvironment()), null, null, + Action.ADMIN); } @Override - public InternalScanner preCompact(ObserverContext e, + public InternalScanner preCompact(ObserverContext c, final Store store, final InternalScanner scanner, final ScanType scanType) throws IOException { - requirePermission("compact", getTableName(e.getEnvironment()), null, null, Action.ADMIN, - Action.CREATE); + requirePermission(getActiveUser(c), "compact", getTableName(c.getEnvironment()), null, null, + Action.ADMIN, Action.CREATE); return scanner; } @@ -1393,11 +1419,11 @@ public class AccessController extends BaseMasterAndRegionObserver assert family != null; RegionCoprocessorEnvironment env = c.getEnvironment(); Map> families = makeFamilyMap(family, null); - User user = getActiveUser(); + User user = getActiveUser(c); AuthResult authResult = permissionGranted(OpType.GET_CLOSEST_ROW_BEFORE, user, env, families, Action.READ); if (!authResult.isAllowed() && cellFeaturesEnabled && !compatibleEarlyTermination) { - authResult.setAllowed(checkCoveringPermission(OpType.GET_CLOSEST_ROW_BEFORE, env, row, + authResult.setAllowed(checkCoveringPermission(user, OpType.GET_CLOSEST_ROW_BEFORE, env, row, families, HConstants.LATEST_TIMESTAMP, Action.READ)); authResult.setReason("Covering cell set"); } @@ -1415,7 +1441,7 @@ public class AccessController extends BaseMasterAndRegionObserver if (filter != null && filter instanceof AccessControlFilter) { return; } - User user = getActiveUser(); + User user = getActiveUser(c); RegionCoprocessorEnvironment env = c.getEnvironment(); Map> families = null; switch (opType) { @@ -1528,7 +1554,7 @@ public class AccessController extends BaseMasterAndRegionObserver public void prePut(final ObserverContext c, final Put put, final WALEdit edit, final Durability durability) throws IOException { - User user = getActiveUser(); + User user = getActiveUser(c); checkForReservedTagPresence(user, put); // Require WRITE permission to the table, CF, or top visible value, if any. @@ -1583,7 +1609,7 @@ public class AccessController extends BaseMasterAndRegionObserver // by a tombstone already) then we have to disallow this operation. RegionCoprocessorEnvironment env = c.getEnvironment(); Map> families = delete.getFamilyCellMap(); - User user = getActiveUser(); + User user = getActiveUser(c); AuthResult authResult = permissionGranted(OpType.DELETE, user, env, families, Action.WRITE); accessChecker.logResult(authResult); if (!authResult.isAllowed()) { @@ -1601,6 +1627,7 @@ public class AccessController extends BaseMasterAndRegionObserver MiniBatchOperationInProgress miniBatchOp) throws IOException { if (cellFeaturesEnabled && !compatibleEarlyTermination) { TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable(); + User user = getActiveUser(c); for (int i = 0; i < miniBatchOp.size(); i++) { Mutation m = miniBatchOp.getOperation(i); if (m.getAttribute(CHECK_COVERING_PERM) != null) { @@ -1608,19 +1635,19 @@ public class AccessController extends BaseMasterAndRegionObserver // perm check OpType opType; if (m instanceof Put) { - checkForReservedTagPresence(getActiveUser(), m); + checkForReservedTagPresence(user, m); opType = OpType.PUT; } else { opType = OpType.DELETE; } AuthResult authResult = null; - if (checkCoveringPermission(opType, c.getEnvironment(), m.getRow(), + if (checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(), m.getFamilyCellMap(), m.getTimeStamp(), Action.WRITE)) { authResult = AuthResult.allow(opType.toString(), "Covering cell set", - getActiveUser(), Action.WRITE, table, m.getFamilyCellMap()); + user, Action.WRITE, table, m.getFamilyCellMap()); } else { authResult = AuthResult.deny(opType.toString(), "Covering cell set", - getActiveUser(), Action.WRITE, table, m.getFamilyCellMap()); + user, Action.WRITE, table, m.getFamilyCellMap()); } accessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { @@ -1647,7 +1674,7 @@ public class AccessController extends BaseMasterAndRegionObserver final CompareFilter.CompareOp compareOp, final ByteArrayComparable comparator, final Put put, final boolean result) throws IOException { - User user = getActiveUser(); + User user = getActiveUser(c); checkForReservedTagPresence(user, put); // Require READ and WRITE permissions on the table, CF, and KV to update @@ -1687,13 +1714,14 @@ public class AccessController extends BaseMasterAndRegionObserver TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable(); Map> families = makeFamilyMap(family, qualifier); AuthResult authResult = null; - if (checkCoveringPermission(OpType.CHECK_AND_PUT, c.getEnvironment(), row, families, + User user = getActiveUser(c); + if (checkCoveringPermission(user, OpType.CHECK_AND_PUT, c.getEnvironment(), row, families, HConstants.LATEST_TIMESTAMP, Action.READ)) { authResult = AuthResult.allow(OpType.CHECK_AND_PUT.toString(), "Covering cell set", - getActiveUser(), Action.READ, table, families); + user, Action.READ, table, families); } else { authResult = AuthResult.deny(OpType.CHECK_AND_PUT.toString(), "Covering cell set", - getActiveUser(), Action.READ, table, families); + user, Action.READ, table, families); } accessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { @@ -1718,7 +1746,7 @@ public class AccessController extends BaseMasterAndRegionObserver // by the delete RegionCoprocessorEnvironment env = c.getEnvironment(); Map> families = makeFamilyMap(family, qualifier); - User user = getActiveUser(); + User user = getActiveUser(c); AuthResult authResult = permissionGranted(OpType.CHECK_AND_DELETE, user, env, families, Action.READ, Action.WRITE); accessChecker.logResult(authResult); @@ -1745,13 +1773,14 @@ public class AccessController extends BaseMasterAndRegionObserver TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable(); Map> families = makeFamilyMap(family, qualifier); AuthResult authResult = null; - if (checkCoveringPermission(OpType.CHECK_AND_DELETE, c.getEnvironment(), row, families, + User user = getActiveUser(c); + if (checkCoveringPermission(user, OpType.CHECK_AND_DELETE, c.getEnvironment(), row, families, HConstants.LATEST_TIMESTAMP, Action.READ)) { authResult = AuthResult.allow(OpType.CHECK_AND_DELETE.toString(), "Covering cell set", - getActiveUser(), Action.READ, table, families); + user, Action.READ, table, families); } else { authResult = AuthResult.deny(OpType.CHECK_AND_DELETE.toString(), "Covering cell set", - getActiveUser(), Action.READ, table, families); + user, Action.READ, table, families); } accessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { @@ -1770,11 +1799,11 @@ public class AccessController extends BaseMasterAndRegionObserver // incremented value RegionCoprocessorEnvironment env = c.getEnvironment(); Map> families = makeFamilyMap(family, qualifier); - User user = getActiveUser(); + User user = getActiveUser(c); AuthResult authResult = permissionGranted(OpType.INCREMENT_COLUMN_VALUE, user, env, families, Action.WRITE); if (!authResult.isAllowed() && cellFeaturesEnabled && !compatibleEarlyTermination) { - authResult.setAllowed(checkCoveringPermission(OpType.INCREMENT_COLUMN_VALUE, env, row, + authResult.setAllowed(checkCoveringPermission(user, OpType.INCREMENT_COLUMN_VALUE, env, row, families, HConstants.LATEST_TIMESTAMP, Action.WRITE)); authResult.setReason("Covering cell set"); } @@ -1788,7 +1817,7 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public Result preAppend(ObserverContext c, Append append) throws IOException { - User user = getActiveUser(); + User user = getActiveUser(c); checkForReservedTagPresence(user, append); // Require WRITE permission to the table, CF, and the KV to be appended @@ -1825,13 +1854,14 @@ public class AccessController extends BaseMasterAndRegionObserver // perm check TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable(); AuthResult authResult = null; - if (checkCoveringPermission(OpType.APPEND, c.getEnvironment(), append.getRow(), + User user = getActiveUser(c); + if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(), append.getFamilyCellMap(), HConstants.LATEST_TIMESTAMP, Action.WRITE)) { authResult = AuthResult.allow(OpType.APPEND.toString(), "Covering cell set", - getActiveUser(), Action.WRITE, table, append.getFamilyCellMap()); + user, Action.WRITE, table, append.getFamilyCellMap()); } else { authResult = AuthResult.deny(OpType.APPEND.toString(), "Covering cell set", - getActiveUser(), Action.WRITE, table, append.getFamilyCellMap()); + user, Action.WRITE, table, append.getFamilyCellMap()); } accessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { @@ -1846,7 +1876,7 @@ public class AccessController extends BaseMasterAndRegionObserver public Result preIncrement(final ObserverContext c, final Increment increment) throws IOException { - User user = getActiveUser(); + User user = getActiveUser(c); checkForReservedTagPresence(user, increment); // Require WRITE permission to the table, CF, and the KV to be replaced by @@ -1885,13 +1915,14 @@ public class AccessController extends BaseMasterAndRegionObserver // perm check TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable(); AuthResult authResult = null; - if (checkCoveringPermission(OpType.INCREMENT, c.getEnvironment(), increment.getRow(), + User user = getActiveUser(c); + if (checkCoveringPermission(user, OpType.INCREMENT, c.getEnvironment(), increment.getRow(), increment.getFamilyCellMap(), increment.getTimeRange().getMax(), Action.WRITE)) { authResult = AuthResult.allow(OpType.INCREMENT.toString(), "Covering cell set", - getActiveUser(), Action.WRITE, table, increment.getFamilyCellMap()); + user, Action.WRITE, table, increment.getFamilyCellMap()); } else { authResult = AuthResult.deny(OpType.INCREMENT.toString(), "Covering cell set", - getActiveUser(), Action.WRITE, table, increment.getFamilyCellMap()); + user, Action.WRITE, table, increment.getFamilyCellMap()); } accessChecker.logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { @@ -1981,7 +2012,7 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public RegionScanner postScannerOpen(final ObserverContext c, final Scan scan, final RegionScanner s) throws IOException { - User user = getActiveUser(); + User user = getActiveUser(c); if (user != null && user.getShortName() != null) { // store reference to scanner owner for later checks scannerOwners.put(s, user.getShortName()); @@ -2034,8 +2065,9 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preBulkLoadHFile(ObserverContext ctx, List> familyPaths) throws IOException { + User user = getActiveUser(ctx); for(Pair el : familyPaths) { - requirePermission("preBulkLoadHFile", + requirePermission(user, "preBulkLoadHFile", ctx.getEnvironment().getRegion().getTableDesc().getTableName(), el.getFirst(), null, @@ -2053,7 +2085,7 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void prePrepareBulkLoad(ObserverContext ctx, PrepareBulkLoadRequest request) throws IOException { - requireAccess("prePareBulkLoad", + requireAccess(getActiveUser(ctx), "prePrepareBulkLoad", ctx.getEnvironment().getRegion().getTableDesc().getTableName(), Action.CREATE); } @@ -2067,7 +2099,7 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preCleanupBulkLoad(ObserverContext ctx, CleanupBulkLoadRequest request) throws IOException { - requireAccess("preCleanupBulkLoad", + requireAccess(getActiveUser(ctx), "preCleanupBulkLoad", ctx.getEnvironment().getRegion().getTableDesc().getTableName(), Action.CREATE); } @@ -2079,10 +2111,10 @@ public class AccessController extends BaseMasterAndRegionObserver // Don't intercept calls to our own AccessControlService, we check for // appropriate permissions in the service handlers if (shouldCheckExecPermission && !(service instanceof AccessControlService)) { - requirePermission("invoke(" + service.getDescriptorForType().getName() + "." + - methodName + ")", - getTableName(ctx.getEnvironment()), null, null, - Action.EXEC); + requirePermission(getActiveUser(ctx), + "invoke(" + service.getDescriptorForType().getName() + "." + methodName + ")", + getTableName(ctx.getEnvironment()), null, null, + Action.EXEC); } return request; } @@ -2109,15 +2141,16 @@ public class AccessController extends BaseMasterAndRegionObserver if (LOG.isDebugEnabled()) { LOG.debug("Received request to grant access permission " + perm.toString()); } + User caller = RpcServer.getRequestUser(); switch(request.getUserPermission().getPermission().getType()) { case Global : case Table : - requirePermission("grant", perm.getTableName(), perm.getFamily(), - perm.getQualifier(), Action.ADMIN); + requirePermission(caller, "grant", perm.getTableName(), + perm.getFamily(), perm.getQualifier(), Action.ADMIN); break; case Namespace : - requireNamespacePermission("grant", perm.getNamespace(), Action.ADMIN); + requireNamespacePermission(caller, "grant", perm.getNamespace(), Action.ADMIN); break; } @@ -2162,15 +2195,16 @@ public class AccessController extends BaseMasterAndRegionObserver if (LOG.isDebugEnabled()) { LOG.debug("Received request to revoke access permission " + perm.toString()); } + User caller = RpcServer.getRequestUser(); switch(request.getUserPermission().getPermission().getType()) { case Global : case Table : - requirePermission("revoke", perm.getTableName(), perm.getFamily(), + requirePermission(caller, "revoke", perm.getTableName(), perm.getFamily(), perm.getQualifier(), Action.ADMIN); break; case Namespace : - requireNamespacePermission("revoke", perm.getNamespace(), Action.ADMIN); + requireNamespacePermission(caller, "revoke", perm.getNamespace(), Action.ADMIN); break; } @@ -2209,11 +2243,13 @@ public class AccessController extends BaseMasterAndRegionObserver if (!initialized) { throw new CoprocessorException("AccessController not yet initialized"); } + User caller = RpcServer.getRequestUser(); + List perms = null; if (request.getType() == AccessControlProtos.Permission.Type.Table) { final TableName table = request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName()) : null; - requirePermission("userPermissions", table, null, null, Action.ADMIN); + requirePermission(caller, "userPermissions", table, null, null, Action.ADMIN); perms = User.runAsLoginUser(new PrivilegedExceptionAction>() { @Override public List run() throws Exception { @@ -2222,7 +2258,7 @@ public class AccessController extends BaseMasterAndRegionObserver }); } else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) { final String namespace = request.getNamespaceName().toStringUtf8(); - requireNamespacePermission("userPermissions", namespace, Action.ADMIN); + requireNamespacePermission(caller, "userPermissions", namespace, Action.ADMIN); perms = User.runAsLoginUser(new PrivilegedExceptionAction>() { @Override public List run() throws Exception { @@ -2231,7 +2267,7 @@ public class AccessController extends BaseMasterAndRegionObserver } }); } else { - requirePermission("userPermissions", Action.ADMIN); + requirePermission(caller, "userPermissions", Action.ADMIN); perms = User.runAsLoginUser(new PrivilegedExceptionAction>() { @Override public List run() throws Exception { @@ -2268,7 +2304,7 @@ public class AccessController extends BaseMasterAndRegionObserver } AccessControlProtos.CheckPermissionsResponse response = null; try { - User user = getActiveUser(); + User user = RpcServer.getRequestUser(); TableName tableName = regionEnv.getRegion().getTableDesc().getTableName(); for (Permission permission : permissions) { if (permission instanceof TablePermission) { @@ -2362,17 +2398,16 @@ public class AccessController extends BaseMasterAndRegionObserver } @Override - public void preClose(ObserverContext e, boolean abortRequested) + public void preClose(ObserverContext c, boolean abortRequested) throws IOException { - requirePermission("preClose", Action.ADMIN); + requirePermission(getActiveUser(c), "preClose", Action.ADMIN); } - private void checkSystemOrSuperUser() throws IOException { + private void checkSystemOrSuperUser(User activeUser) throws IOException { // No need to check if we're not going to throw if (!authorizationEnabled) { return; } - User activeUser = getActiveUser(); if (!Superusers.isSuperUser(activeUser)) { throw new AccessDeniedException("User '" + (activeUser != null ? activeUser.getShortName() : "null") + "' is not system or super user."); @@ -2381,9 +2416,9 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preStopRegionServer( - ObserverContext env) + ObserverContext ctx) throws IOException { - requirePermission("preStopRegionServer", Action.ADMIN); + requirePermission(getActiveUser(ctx), "preStopRegionServer", Action.ADMIN); } private Map> makeFamilyMap(byte[] family, @@ -2412,7 +2447,7 @@ public class AccessController extends BaseMasterAndRegionObserver if (masterServices.getTableDescriptors().get(tableName) == null) { continue; } - requirePermission("getTableDescriptors", tableName, null, null, + requirePermission(getActiveUser(ctx), "getTableDescriptors", tableName, null, null, Action.ADMIN, Action.CREATE); } } @@ -2433,7 +2468,7 @@ public class AccessController extends BaseMasterAndRegionObserver while (itr.hasNext()) { HTableDescriptor htd = itr.next(); try { - requirePermission("getTableDescriptors", htd.getTableName(), null, null, + requirePermission(getActiveUser(ctx), "getTableDescriptors", htd.getTableName(), null, null, Action.ADMIN, Action.CREATE); } catch (AccessDeniedException e) { itr.remove(); @@ -2449,7 +2484,7 @@ public class AccessController extends BaseMasterAndRegionObserver while (itr.hasNext()) { HTableDescriptor htd = itr.next(); try { - requireAccess("getTableNames", htd.getTableName(), Action.values()); + requireAccess(getActiveUser(ctx), "getTableNames", htd.getTableName(), Action.values()); } catch (AccessDeniedException e) { itr.remove(); } @@ -2459,14 +2494,14 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preDispatchMerge(final ObserverContext ctx, HRegionInfo regionA, HRegionInfo regionB) throws IOException { - requirePermission("mergeRegions", regionA.getTable(), null, null, + requirePermission(getActiveUser(ctx), "mergeRegions", regionA.getTable(), null, null, Action.ADMIN); } @Override public void preClearDeadServers(ObserverContext ctx) throws IOException { - requirePermission("clearDeadServers", Action.ADMIN); + requirePermission(getActiveUser(ctx), "clearDeadServers", Action.ADMIN); } @Override @@ -2476,8 +2511,8 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preMerge(ObserverContext ctx, Region regionA, Region regionB) throws IOException { - requirePermission("mergeRegions", regionA.getTableDesc().getTableName(), null, null, - Action.ADMIN); + requirePermission(getActiveUser(ctx), "mergeRegions", regionA.getTableDesc().getTableName(), + null, null, Action.ADMIN); } @Override @@ -2503,7 +2538,7 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preRollWALWriterRequest(ObserverContext ctx) throws IOException { - requirePermission("preRollLogWriterRequest", Permission.Action.ADMIN); + requirePermission(getActiveUser(ctx), "preRollLogWriterRequest", Permission.Action.ADMIN); } @Override @@ -2519,7 +2554,7 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preReplicateLogEntries(ObserverContext ctx, List entries, CellScanner cells) throws IOException { - requirePermission("replicateLogEntries", Action.WRITE); + requirePermission(getActiveUser(ctx), "replicateLogEntries", Action.WRITE); } @Override @@ -2530,31 +2565,31 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preSetUserQuota(final ObserverContext ctx, final String userName, final Quotas quotas) throws IOException { - requirePermission("setUserQuota", Action.ADMIN); + requirePermission(getActiveUser(ctx), "setUserQuota", Action.ADMIN); } @Override public void preSetUserQuota(final ObserverContext ctx, final String userName, final TableName tableName, final Quotas quotas) throws IOException { - requirePermission("setUserTableQuota", tableName, null, null, Action.ADMIN); + requirePermission(getActiveUser(ctx), "setUserTableQuota", tableName, null, null, Action.ADMIN); } @Override public void preSetUserQuota(final ObserverContext ctx, final String userName, final String namespace, final Quotas quotas) throws IOException { - requirePermission("setUserNamespaceQuota", Action.ADMIN); + requirePermission(getActiveUser(ctx), "setUserNamespaceQuota", Action.ADMIN); } @Override public void preSetTableQuota(final ObserverContext ctx, final TableName tableName, final Quotas quotas) throws IOException { - requirePermission("setTableQuota", tableName, null, null, Action.ADMIN); + requirePermission(getActiveUser(ctx), "setTableQuota", tableName, null, null, Action.ADMIN); } @Override public void preSetNamespaceQuota(final ObserverContext ctx, final String namespace, final Quotas quotas) throws IOException { - requirePermission("setNamespaceQuota", Action.ADMIN); + requirePermission(getActiveUser(ctx), "setNamespaceQuota", Action.ADMIN); } @Override diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java index f400fd48d6..aa15a2271c 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.java @@ -206,7 +206,7 @@ public class SecureBulkLoadEndpoint extends SecureBulkLoadService if(bulkLoadObservers != null) { ObserverContext ctx = - new ObserverContext(); + new ObserverContext(RpcServer.getRequestUser()); ctx.prepare(env); for(BulkLoadObserver bulkLoadObserver : bulkLoadObservers) { @@ -232,7 +232,7 @@ public class SecureBulkLoadEndpoint extends SecureBulkLoadService if(bulkLoadObservers != null) { ObserverContext ctx = - new ObserverContext(); + new ObserverContext(RpcServer.getRequestUser()); ctx.prepare(env); for(BulkLoadObserver bulkLoadObserver : bulkLoadObservers) { -- 2.21.0