-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CDAP-8257] Introduce permissions for Tables through dataset properties #7773
Conversation
anew
commented
Feb 1, 2017
- implemented as a series of grants in HBase
- HBase 0.96 and 0.98 do not have support in their APIs for that. Therefore it is not implemented in these compat modules. Instead they will log a warning as follows
- If an invalid permission string is given, the error message is:
Note that the first commit is already reviewed as part of #7771 but is not merged to develop yet (pending build success). |
@@ -33,4 +48,28 @@ public HTableDescriptor getHTableDescriptor(TableDescriptor descriptor) { | |||
public TableDescriptor getTableDescriptor(HTableDescriptor descriptor) { | |||
return HBase10CDHTableDescriptorUtil.getTableDescriptor(descriptor); | |||
} | |||
|
|||
@Override |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note this uses ConnectionFactory, which is not available in HBase before 1.0. Because the hbase-compat-base depends on HBase 0.98, this cannot be implemented in the base class and must unfortunately be copied to all compat modules. I tried to change the base to depend on HBase 1.0, but that would require updating our Hadoop dependency to 2.5.1+, and it appears to big of a change so short before code freeze.
Build running here: http://builds.cask.co/browse/CDAP-DUT5372-7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nits else LGTM 👍
TableName table = TableName.valueOf(namespace, name); | ||
try (Connection connection = ConnectionFactory.createConnection(admin.getConfiguration())) { | ||
if (!AccessControlClient.isAccessControllerRunning(connection)) { | ||
LOG.debug("Access control if off. Not granting privileges. "); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Access control is off
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops
TableName table = TableName.valueOf(namespace, name); | ||
try (Connection connection = ConnectionFactory.createConnection(admin.getConfiguration())) { | ||
if (!AccessControlClient.isAccessControllerRunning(connection)) { | ||
LOG.debug("Access control if off. Not granting privileges. "); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: is off
return actions; | ||
} | ||
|
||
@Nullable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need to have @Nullable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch. I first had it return null so that the caller can throw a detailed exception. Then changed it throw here, and forgot the @nullable.
@@ -498,6 +498,12 @@ public void truncateTable(HBaseDDLExecutor ddlExecutor, TableId tableId) throws | |||
ddlExecutor.truncateTable(tableName.getNamespaceAsString(), tableName.getQualifierAsString()); | |||
} | |||
|
|||
public void grantPrivileges(HBaseDDLExecutor ddlExecutor, TableId tableId, | |||
Map<String, String> privileges) throws IOException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we don't need to have this method. Caller can simply call ddlExecutor.grantPersmissions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then why do we have it truncate()? I guess it still encapsulates the correct logic to map the table name to an HBase table name.
* | ||
* @param namespace the namespace of the table | ||
* @param name the name of the table | ||
* @param permissions A map from user name to the permissions for that user, given as a string containing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: A map from user or group name
@sagarkapare I addressed your comments and also added another commit (see above). Please take another look. Thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor questions, else LGTM
admin.drop(); | ||
|
||
admin = getTableAdmin(CONTEXT1, "invalidPerms", TableProperties.builder() | ||
.setTablePermissions(ImmutableMap.of("joe", "iwx")).build()); // invalid perma |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: // invalid permissions
public static Map<String, String> getTablePermissions(Map<String, String> properties) { | ||
String propertyValue = properties.get(PROPERTY_TABLE_PERMISSIONS); | ||
if (propertyValue == null) { | ||
return null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
better return empty map? then the caller would have to only check for isEmpty
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The caller may have a default. If it is null, he would use the default. If it is empty, it would override his default.
if (permissions != null && !permissions.isEmpty()) { | ||
tableUtil.grantPrivileges(ddlExecutor, tableId, permissions); | ||
} | ||
} catch (IOException | RuntimeException e) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any reason not to catch Throwable
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because I can't rethrow that.
f29c829
to
fe29df7
Compare
squashing and rebasing to develop |
fe29df7
to
65c1014
Compare
Build for #7775 passed here: http://builds.cask.co/browse/CDAP-DUT5388-1. It is based on this one and therefore validates this one, too. |