Repository: hbase Updated Branches: refs/heads/branch-1 5cee77a1f -> a84233ae3
HBASE-12745 Visibility Labels: support visibility labels for user groups. (Addendum2 for BC between 0.98 and branch-1) (Anoop Sam John) Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/a84233ae Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/a84233ae Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/a84233ae Branch: refs/heads/branch-1 Commit: a84233ae350ea921740d532cfdc2b79731f96555 Parents: 5cee77a Author: Enis Soztutar <e...@apache.org> Authored: Mon Jan 26 15:58:35 2015 -0800 Committer: Enis Soztutar <e...@apache.org> Committed: Mon Jan 26 15:58:35 2015 -0800 ---------------------------------------------------------------------- .../visibility/VisibilityController.java | 33 +++++++++++++++++--- 1 file changed, 28 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/a84233ae/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java index 834dfb6..0fbef44 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java @@ -827,11 +827,21 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements + "' is not authorized to perform this action."); } if (AccessControlLists.isGroupPrincipal(Bytes.toString(user))) { + // For backward compatibility. Previous custom visibilityLabelService + // implementation may not have getGroupAuths + try { + this.visibilityLabelService.getClass().getDeclaredMethod("getGroupAuths", + new Class[] { String[].class, Boolean.TYPE }); + } catch (SecurityException e) { + throw new AccessDeniedException("Failed to obtain getGroupAuths implementation"); + } catch (NoSuchMethodException e) { + throw new AccessDeniedException( + "Get group auth is not supported in this implementation"); + } String group = AccessControlLists.getGroupName(Bytes.toString(user)); - labels = this.visibilityLabelService.getGroupAuths(new String[]{group}, false); - } - else { - labels = this.visibilityLabelService.getUserAuths(user, false); + labels = this.visibilityLabelService.getGroupAuths(new String[] { group }, false); + } else { + labels = this.visibilityLabelService.getAuths(user, false); } } catch (IOException e) { ResponseConverter.setControllerException(controller, e); @@ -926,7 +936,20 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements if (user == null) { throw new IOException("Unable to retrieve calling user"); } - if (!(this.visibilityLabelService.havingSystemAuth(user))) { + boolean havingSystemAuth = false; + try { + this.visibilityLabelService.getClass().getDeclaredMethod("havingSystemAuth", + new Class[] { User.class }); + havingSystemAuth = this.visibilityLabelService.havingSystemAuth(user); + } catch (SecurityException e) { + // Just consider this as AccessDeniedException + } catch (NoSuchMethodException e) { + // VLS not having havingSystemAuth(User) method. Go with deprecated havingSystemAuth(byte[]) + // method invoke + havingSystemAuth = this.visibilityLabelService.havingSystemAuth(Bytes.toBytes(user + .getShortName())); + } + if (!havingSystemAuth) { throw new AccessDeniedException("User '" + user.getShortName() + "' is not authorized to perform this action."); }
