HBASE-21995 Add a coprocessor to set HDFS ACL for hbase granted user #163

mymeiyi · 2019-04-18T02:22:16Z

To make hbase granted user have the access to scan table snapshots, use HDFS ACLs to set user 'access r-x' or 'default r-x' ACLs over hfiles.
The basic implementation is:

For public directories such as 'data' and 'archive', set other users' permission to '--x' to make everyone have the permission to access the directory.
For namespace or table directories such as 'data/ns/table', 'archive/data/ns/table' and '.hbase-snapshot/snapshotName', set user 'r-x' acl and default 'r-x' acl when grant, revoke, snapshot.
The feature is configurable because it's implemented in a master coprocessor.

Apache-HBase · 2019-04-18T06:46:23Z

💔 -1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	394	Docker mode activated.
		_ Prechecks _
+1	hbaseanti	0	Patch does not have any anti-patterns.
+1	@author	0	The patch does not contain any @author tags.
+1	test4tests	0	The patch appears to include 1 new or modified test files.
		_ master Compile Tests _
+1	mvninstall	302	master passed
+1	compile	55	master passed
+1	checkstyle	72	master passed
+1	shadedjars	281	branch has no errors when building our shaded downstream artifacts.
+1	findbugs	215	master passed
+1	javadoc	34	master passed
		_ Patch Compile Tests _
+1	mvninstall	258	the patch passed
+1	compile	53	the patch passed
+1	javac	53	the patch passed
-1	checkstyle	67	hbase-server: The patch generated 3 new + 51 unchanged - 2 fixed = 54 total (was 53)
+1	whitespace	0	The patch has no whitespace issues.
+1	shadedjars	269	patch has no errors when building our shaded downstream artifacts.
+1	hadoopcheck	554	Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0.
+1	findbugs	213	the patch passed
+1	javadoc	34	the patch passed
		_ Other Tests _
-1	unit	12876	hbase-server in the patch failed.
+1	asflicense	28	The patch does not generate ASF License warnings.
		15781

Reason	Tests
Failed junit tests	hadoop.hbase.client.TestFromClientSide

Subsystem	Report/Notes
Docker	Client=17.05.0-ce Server=17.05.0-ce base: https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/1/artifact/out/Dockerfile
GITHUB PR	#163
Optional Tests	dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile
uname	Linux 495d4df97ab4 4.4.0-137-generic #163-Ubuntu SMP Mon Sep 24 13:14:43 UTC 2018 x86_64 GNU/Linux
Build tool	maven
Personality	/testptch/patchprocess/precommit/personality/provided.sh
git revision	master / `428afa9`
maven	version: Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; 2018-06-17T18:33:14Z)
Default Java	1.8.0_181
findbugs	v3.1.11
checkstyle	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/1/artifact/out/diff-checkstyle-hbase-server.txt
unit	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/1/artifact/out/patch-unit-hbase-server.txt
Test Results	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/1/testReport/
Max. process+thread count	4769 (vs. ulimit of 10000)
modules	C: hbase-server U: hbase-server
Console output	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/1/console
Powered by	Apache Yetus 0.9.0 http://yetus.apache.org

This message was automatically generated.

...er/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java

openinx · 2019-04-19T04:19:19Z

hbase-server/src/main/java/org/apache/hadoop/hbase/io/FileLink.java

@@ -314,12 +316,24 @@ private FSDataInputStream tryOpen() throws IOException {
          return(in);
        } catch (FileNotFoundException e) {
          // Try another file location
+        } catch (AccessControlException e) {


Here, I prefer to simplify the logic as a small method:

remember the thrown exception as e;

if notfound or accessControl exception, continue to try another file;

if still not find an right file. then throw the e.
Please consider this.

Please abstract all the exception handling logic as method named handleException ?

openinx · 2019-04-19T04:19:19Z

hbase-server/src/main/java/org/apache/hadoop/hbase/io/FileLink.java

    for (int i = 0; i < locations.length; ++i) {
      try {
        return fs.getFileStatus(locations[i]);
      } catch (FileNotFoundException e) {
        // Try another file location
+      } catch (AccessControlException e) {


Same question above.

openinx · 2019-04-19T04:19:19Z

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java

+ */
+@CoreCoprocessor
+@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)
+public class HDFSAclController implements MasterCoprocessor, MasterObserver {


Not a good class name, the class want to sync file acl between HBase and HDFS ? and mostly for those directories when scanning snapshot ? we don't consider those directories which is unrelated to snapshot, such as WAL, oldWals etc... Please consider another name.

How about "SnapshotScannerHDFSAclController"?

openinx · 2019-04-19T04:19:19Z

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java

+  }
+
+  @Override
+  public void preMasterInitialization(final ObserverContext<MasterCoprocessorEnvironment> c)


the final can remove now in jdk8 ?

openinx · 2019-04-19T04:19:19Z

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java

+        masterServices = ((HasMasterServices) mEnv).getMasterServices();
+      }
+      if (masterServices == null) {
+        throw new RuntimeException("master services can not be null");


IllegalArgumentException ?

openinx · 2019-04-19T04:19:19Z

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java

+        if (!fs.exists(path)) {
+          fs.mkdirs(path);
+        }
+        fs.setPermission(path, ACL_ENABLE_PUBLIC_HFILE_PERMISSION);


This acl need also to be configurable ?

openinx · 2019-04-19T04:19:19Z

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java

+                ColumnFamilyDescriptorBuilder.newBuilder(HDFSAclStorage.HDFS_ACL_FAMILY).build());
+          admin.modifyTable(builder.build());
+        }
+      }


What if the hbase:acl does not exist ? should throw an exception ?

This coprocessor should be configured after the AccessController, if hbase:acl table does not exist, the AccessController will not work incorrectly firstly?
Let me add some logs and throw an TableNotFoundException here.

openinx · 2019-04-19T04:19:19Z

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/HDFSAclController.java

+    try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
+      if (admin.tableExists(PermissionStorage.ACL_TABLE_NAME)) {
+        // check if hbase:acl table has 'm' CF
+        TableDescriptor tableDescriptor = admin.getDescriptor(PermissionStorage.ACL_TABLE_NAME);


Would the newly introduced CF impact the original AccessController ?

The new CF is only used in this CP, it records if the hbase read permission is synchronized to related hfile.
This flag has two usages:

check if we need to remove hdfs acls for a grant without READ permission;

skip some hdfs acl sync because it may be already added.

Apache-HBase · 2019-04-21T01:24:25Z

💔 -1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	38	Docker mode activated.
		_ Prechecks _
+1	hbaseanti	0	Patch does not have any anti-patterns.
+1	@author	0	The patch does not contain any @author tags.
+1	test4tests	0	The patch appears to include 1 new or modified test files.
		_ master Compile Tests _
+1	mvninstall	310	master passed
+1	compile	67	master passed
+1	checkstyle	85	master passed
+1	shadedjars	337	branch has no errors when building our shaded downstream artifacts.
+1	findbugs	287	master passed
+1	javadoc	41	master passed
		_ Patch Compile Tests _
+1	mvninstall	302	the patch passed
+1	compile	68	the patch passed
+1	javac	68	the patch passed
-1	checkstyle	83	hbase-server: The patch generated 3 new + 51 unchanged - 2 fixed = 54 total (was 53)
+1	whitespace	0	The patch has no whitespace issues.
+1	shadedjars	339	patch has no errors when building our shaded downstream artifacts.
+1	hadoopcheck	621	Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0.
+1	findbugs	298	the patch passed
+1	javadoc	40	the patch passed
		_ Other Tests _
+1	unit	14069	hbase-server in the patch passed.
+1	asflicense	31	The patch does not generate ASF License warnings.
		17083

Subsystem	Report/Notes
Docker	Client=17.05.0-ce Server=17.05.0-ce base: https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/2/artifact/out/Dockerfile
GITHUB PR	#163
Optional Tests	dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile
uname	Linux 3763afd5e56d 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 GNU/Linux
Build tool	maven
Personality	/testptch/patchprocess/precommit/personality/provided.sh
git revision	master / `f30d6c9`
maven	version: Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; 2018-06-17T18:33:14Z)
Default Java	1.8.0_181
findbugs	v3.1.11
checkstyle	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/2/artifact/out/diff-checkstyle-hbase-server.txt
Test Results	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/2/testReport/
Max. process+thread count	4655 (vs. ulimit of 10000)
modules	C: hbase-server U: hbase-server
Console output	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/2/console
Powered by	Apache Yetus 0.9.0 http://yetus.apache.org

This message was automatically generated.

Apache-HBase · 2019-04-30T09:13:02Z

💔 -1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	0	Docker mode activated.
-1	patch	7	#163 does not apply to master. Rebase required? Wrong Branch? See https://yetus.apache.org/documentation/in-progress/precommit-patchnames for help.

Subsystem	Report/Notes
GITHUB PR	#163
Console output	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/3/console
Powered by	Apache Yetus 0.9.0 http://yetus.apache.org

This message was automatically generated.

Apache-HBase · 2019-05-07T09:22:52Z

💔 -1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	58	Docker mode activated.
		_ Prechecks _
+1	hbaseanti	0	Patch does not have any anti-patterns.
+1	@author	0	The patch does not contain any @author tags.
+1	test4tests	0	The patch appears to include 1 new or modified test files.
		_ master Compile Tests _
+1	mvninstall	331	master passed
+1	compile	58	master passed
+1	checkstyle	72	master passed
+1	shadedjars	289	branch has no errors when building our shaded downstream artifacts.
+1	findbugs	228	master passed
+1	javadoc	36	master passed
		_ Patch Compile Tests _
+1	mvninstall	259	the patch passed
+1	compile	60	the patch passed
+1	javac	60	the patch passed
-1	checkstyle	76	hbase-server: The patch generated 4 new + 51 unchanged - 2 fixed = 55 total (was 53)
+1	whitespace	0	The patch has no whitespace issues.
+1	shadedjars	275	patch has no errors when building our shaded downstream artifacts.
+1	hadoopcheck	601	Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0.
-1	findbugs	239	hbase-server generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0)
+1	javadoc	34	the patch passed
		_ Other Tests _
-1	unit	20409	hbase-server in the patch failed.
+1	asflicense	31	The patch does not generate ASF License warnings.
		23451

Reason	Tests
FindBugs	module:hbase-server
	Exception is caught when Exception is not thrown in org.apache.hadoop.hbase.security.access.HDFSAclHelper.grant(byte[], Set) At HDFSAclHelper.java:is not thrown in org.apache.hadoop.hbase.security.access.HDFSAclHelper.grant(byte[], Set) At HDFSAclHelper.java:[line 152]
Failed junit tests	hadoop.hbase.master.TestMasterMetricsWrapper
	hadoop.hbase.security.access.TestHDFSAclController
	hadoop.hbase.client.TestSnapshotTemporaryDirectoryWithRegionReplicas
	hadoop.hbase.client.TestHbck
	hadoop.hbase.client.TestFromClientSide3
	hadoop.hbase.master.procedure.TestTruncateTableProcedure
	hadoop.hbase.tool.TestLoadIncrementalHFiles
	hadoop.hbase.master.TestAssignmentManagerMetrics
	hadoop.hbase.client.TestAdmin1
	hadoop.hbase.client.replication.TestReplicationAdminWithClusters
	hadoop.hbase.master.procedure.TestProcedurePriority
	hadoop.hbase.replication.TestReplicationSyncUpTool
	hadoop.hbase.namespace.TestNamespaceAuditor
	hadoop.hbase.replication.TestReplicationSmallTestsSync
	hadoop.hbase.client.TestFromClientSide
	hadoop.hbase.master.TestSplitWALManager
	hadoop.hbase.master.procedure.TestSCPWithoutZKCoordinated
	hadoop.hbase.client.TestFromClientSideWithCoprocessor
	hadoop.hbase.util.TestFromClientSide3WoUnsafe
	hadoop.hbase.client.TestSnapshotDFSTemporaryDirectory
	hadoop.hbase.tool.TestSecureLoadIncrementalHFiles
	hadoop.hbase.client.TestSnapshotTemporaryDirectory
	hadoop.hbase.replication.TestReplicationSmallTests

Subsystem	Report/Notes
Docker	Client=17.05.0-ce Server=17.05.0-ce base: https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/4/artifact/out/Dockerfile
GITHUB PR	#163
Optional Tests	dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile
uname	Linux b3efbe6fa87c 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 GNU/Linux
Build tool	maven
Personality	/testptch/patchprocess/precommit/personality/provided.sh
git revision	master / `67c937f`
maven	version: Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; 2018-06-17T18:33:14Z)
Default Java	1.8.0_181
findbugs	v3.1.11
checkstyle	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/4/artifact/out/diff-checkstyle-hbase-server.txt
findbugs	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/4/artifact/out/new-findbugs-hbase-server.html
unit	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/4/artifact/out/patch-unit-hbase-server.txt
Test Results	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/4/testReport/
Max. process+thread count	5240 (vs. ulimit of 10000)
modules	C: hbase-server U: hbase-server
Console output	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/4/console
Powered by	Apache Yetus 0.9.0 http://yetus.apache.org

This message was automatically generated.

openinx · 2019-05-07T09:37:27Z

@mymeiyi Please check the failed UT.

Apache9 · 2019-05-14T03:00:29Z

Any updates here?

Apache-HBase · 2019-05-15T11:31:28Z

💔 -1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	0	Docker mode activated.
-1	patch	10	#163 does not apply to master. Rebase required? Wrong Branch? See https://yetus.apache.org/documentation/in-progress/precommit-patchnames for help.

Subsystem	Report/Notes
GITHUB PR	#163
Console output	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/5/console
Powered by	Apache Yetus 0.9.0 http://yetus.apache.org

This message was automatically generated.

Apache-HBase · 2019-05-16T01:31:02Z

💔 -1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	0	Docker mode activated.
-1	patch	8	#163 does not apply to master. Rebase required? Wrong Branch? See https://yetus.apache.org/documentation/in-progress/precommit-patchnames for help.

Subsystem	Report/Notes
GITHUB PR	#163
Console output	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/6/console
Powered by	Apache Yetus 0.9.0 http://yetus.apache.org

This message was automatically generated.

Apache-HBase · 2019-05-30T03:38:21Z

💔 -1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	0	Docker mode activated.
-1	patch	6	#163 does not apply to master. Rebase required? Wrong Branch? See https://yetus.apache.org/documentation/in-progress/precommit-patchnames for help.

Subsystem	Report/Notes
GITHUB PR	#163
Console output	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-163/7/console
Powered by	Apache Yetus 0.9.0 http://yetus.apache.org

This message was automatically generated.

openinx reviewed Apr 19, 2019

View changes

Apache-HBase mentioned this pull request Apr 19, 2019

HBASE-22273. Include queuetime in the condition of reponseTooSlow #166

Closed

mymeiyi force-pushed the mymeiyi:hdfs-acl branch from ee7537f to 09a1337 May 7, 2019

Apache-HBase mentioned this pull request May 14, 2019

HBASE-22404 Open/Close region request may be executed twice when mast… #234

Merged

mymeiyi force-pushed the mymeiyi:hdfs-acl branch from 09a1337 to bc938b1 May 15, 2019

Apache-HBase mentioned this pull request May 15, 2019

HBASE-22311 - Update community docs to recommend use of "Co-authored-… #235

Merged

mymeiyi force-pushed the mymeiyi:hdfs-acl branch from bc938b1 to 3ab2330 May 16, 2019

This was referenced May 16, 2019

HBASE-22432 HRegionServer rssStub handling is incorrect and inconsistent #241

Closed

HBASE-22449 https everywhere in Maven metadata #247

Merged

This was referenced May 28, 2019

HBASE-22486 Fix flaky test TestLockManager #260

Merged

HBASE-22488 Cleanup the explicit timeout value for test methods #262

Merged

HBASE-22490 Nightly client integration test fails with hadoop-3.0.3 #265

Merged

mymeiyi force-pushed the mymeiyi:hdfs-acl branch from 3ab2330 to eac82c0 May 30, 2019

apache/hbase

HBASE-21995 Add a coprocessor to set HDFS ACL for hbase granted user #163

HBASE-21995 Add a coprocessor to set HDFS ACL for hbase granted user #163

mymeiyi commented Apr 18, 2019

This comment has been minimized.

Apache-HBase commented Apr 18, 2019

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

Apache-HBase commented Apr 21, 2019

This comment has been minimized.

Apache-HBase commented Apr 30, 2019

This comment has been minimized.

Apache-HBase commented May 7, 2019

This comment has been minimized.

openinx commented May 7, 2019

This comment has been minimized.

Apache9 commented May 14, 2019

This comment has been minimized.

Apache-HBase commented May 15, 2019

This comment has been minimized.

Apache-HBase commented May 16, 2019

This comment has been minimized.

Apache-HBase commented May 30, 2019

apache/hbase

Join GitHub today

HBASE-21995 Add a coprocessor to set HDFS ACL for hbase granted user #163

Conversation

mymeiyi commented Apr 18, 2019

This comment has been minimized.

Apache-HBase commented Apr 18, 2019

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

mymeiyi May 15, 2019 • edited

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

Apache-HBase commented Apr 21, 2019

This comment has been minimized.

Apache-HBase commented Apr 30, 2019

This comment has been minimized.

Apache-HBase commented May 7, 2019

This comment has been minimized.

openinx commented May 7, 2019

This comment has been minimized.

Apache9 commented May 14, 2019

This comment has been minimized.

Apache-HBase commented May 15, 2019

This comment has been minimized.

Apache-HBase commented May 16, 2019

This comment has been minimized.

Apache-HBase commented May 30, 2019

mymeiyi May 15, 2019 •

edited