HBASE-17717 Explicitly use "sasl" ACL scheme for hbase superuser
The special "auth" ZK ACL scheme will always set the ACL's id (the
user who is allowed) to be the authenticated user of the ZK connection.
This results in the HBase superuser not actually receiving the
permissions as the ZKUtil intends to do. Since we know we have security
enabled, we can instead explicitly list "sasl" as the ACL scheme
instead.
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index d37adf4..fa92e03 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -918,7 +918,7 @@
// TODO: Set node ACL for groups when ZK supports this feature
groups.add(user);
} else {
- acls.add(new ACL(Perms.ALL, new Id("auth", user)));
+ acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
}
}
if (!groups.isEmpty()) {
diff --git a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
index f875195..cb22024 100644
--- a/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
+++ b/hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKUtil.java
@@ -27,6 +27,7 @@
import org.apache.hadoop.hbase.ZooKeeperConnectionException;
import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.testclassification.SmallTests;
+import org.apache.zookeeper.ZooDefs.Ids;
import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
@@ -49,6 +50,29 @@
}
@Test
+ public void testUnsecure() throws ZooKeeperConnectionException, IOException {
+ Configuration conf = HBaseConfiguration.create();
+ conf.set(Superusers.SUPERUSER_CONF_KEY, "user1");
+ String node = "/hbase/testUnsecure";
+ ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
+ List<ACL> aclList = ZKUtil.createACL(watcher, node, false);
+ Assert.assertEquals(aclList.size(), 1);
+ Assert.assertTrue(aclList.contains(Ids.OPEN_ACL_UNSAFE.iterator().next()));
+ }
+
+ @Test
+ public void testSecuritySingleSuperuser() throws ZooKeeperConnectionException, IOException {
+ Configuration conf = HBaseConfiguration.create();
+ conf.set(Superusers.SUPERUSER_CONF_KEY, "user1");
+ String node = "/hbase/testSecuritySingleSuperuser";
+ ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
+ List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
+ Assert.assertEquals(aclList.size(), 2); // 1+1, since ACL will be set for the creator by default
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user1"))));
+ Assert.assertTrue(aclList.contains(Ids.CREATOR_ALL_ACL.iterator().next()));
+ }
+
+ @Test
public void testCreateACL() throws ZooKeeperConnectionException, IOException {
Configuration conf = HBaseConfiguration.create();
conf.set(Superusers.SUPERUSER_CONF_KEY, "user1,@group1,user2,@group2,user3");
@@ -56,10 +80,10 @@
ZooKeeperWatcher watcher = new ZooKeeperWatcher(conf, node, null, false);
List<ACL> aclList = ZKUtil.createACL(watcher, node, true);
Assert.assertEquals(aclList.size(), 4); // 3+1, since ACL will be set for the creator by default
- Assert.assertTrue(!aclList.contains(new ACL(Perms.ALL, new Id("auth", "@group1")))
- && !aclList.contains(new ACL(Perms.ALL, new Id("auth", "@group2"))));
- Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", "user1")))
- && aclList.contains(new ACL(Perms.ALL, new Id("auth", "user2")))
- && aclList.contains(new ACL(Perms.ALL, new Id("auth", "user3"))));
+ Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1"))));
+ Assert.assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group2"))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user1"))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user2"))));
+ Assert.assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user3"))));
}
}
