use of org.apache.hadoop.hbase.DoNotRetryIOException in project hbase by apache.
the class AccessController method preCheckAndDelete.
@Override
public boolean preCheckAndDelete(final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row, final byte[] family, final byte[] qualifier, final CompareFilter.CompareOp compareOp, final ByteArrayComparable comparator, final Delete delete, final boolean result) throws IOException {
// An ACL on a delete is useless, we shouldn't allow it
if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {
throw new DoNotRetryIOException("ACL on checkAndDelete has no effect: " + delete.toString());
}
// Require READ and WRITE permissions on the table, CF, and the KV covered
// by the delete
RegionCoprocessorEnvironment env = c.getEnvironment();
Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
User user = getActiveUser(c);
AuthResult authResult = permissionGranted(OpType.CHECK_AND_DELETE, user, env, families, Action.READ, Action.WRITE);
logResult(authResult);
if (!authResult.isAllowed()) {
if (cellFeaturesEnabled && !compatibleEarlyTermination) {
delete.setAttribute(CHECK_COVERING_PERM, TRUE);
} else if (authorizationEnabled) {
throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
}
}
return result;
}
use of org.apache.hadoop.hbase.DoNotRetryIOException in project hbase by apache.
the class VisibilityController method addLabels.
/****************************** VisibilityEndpoint service related methods ******************************/
@Override
public synchronized void addLabels(RpcController controller, VisibilityLabelsRequest request, RpcCallback<VisibilityLabelsResponse> done) {
VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();
List<VisibilityLabel> visLabels = request.getVisLabelList();
if (!initialized) {
setExceptionResults(visLabels.size(), new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"), response);
} else {
List<byte[]> labels = new ArrayList<>(visLabels.size());
try {
if (authorizationEnabled) {
checkCallingUserAuth();
}
RegionActionResult successResult = RegionActionResult.newBuilder().build();
for (VisibilityLabel visLabel : visLabels) {
byte[] label = visLabel.getLabel().toByteArray();
labels.add(label);
// Just mark as success. Later it will get reset
response.addResult(successResult);
// based on the result from
// visibilityLabelService.addLabels ()
}
if (!labels.isEmpty()) {
OperationStatus[] opStatus = this.visibilityLabelService.addLabels(labels);
logResult(true, "addLabels", "Adding labels allowed", null, labels, null);
int i = 0;
for (OperationStatus status : opStatus) {
while (response.getResult(i) != successResult) i++;
if (status.getOperationStatusCode() != SUCCESS) {
RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();
failureResultBuilder.setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));
response.setResult(i, failureResultBuilder.build());
}
i++;
}
}
} catch (AccessDeniedException e) {
logResult(false, "addLabels", e.getMessage(), null, labels, null);
LOG.error("User is not having required permissions to add labels", e);
setExceptionResults(visLabels.size(), e, response);
} catch (IOException e) {
LOG.error(e);
setExceptionResults(visLabels.size(), e, response);
}
}
done.run(response.build());
}
use of org.apache.hadoop.hbase.DoNotRetryIOException in project hbase by apache.
the class VisibilityController method clearAuths.
@Override
public synchronized void clearAuths(RpcController controller, SetAuthsRequest request, RpcCallback<VisibilityLabelsResponse> done) {
VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();
List<ByteString> auths = request.getAuthList();
if (!initialized) {
setExceptionResults(auths.size(), new CoprocessorException("VisibilityController not yet initialized"), response);
} else {
byte[] requestUser = request.getUser().toByteArray();
List<byte[]> labelAuths = new ArrayList<>(auths.size());
try {
// When AC is ON, do AC based user auth check
if (authorizationEnabled && accessControllerAvailable && !isSystemOrSuperUser()) {
User user = VisibilityUtils.getActiveUser();
throw new AccessDeniedException("User '" + (user != null ? user.getShortName() : "null") + " is not authorized to perform this action.");
}
if (authorizationEnabled) {
// When AC is not in place the calling user should have
checkCallingUserAuth();
// SYSTEM_LABEL auth to do this action.
}
for (ByteString authBS : auths) {
labelAuths.add(authBS.toByteArray());
}
OperationStatus[] opStatus = this.visibilityLabelService.clearAuths(requestUser, labelAuths);
logResult(true, "clearAuths", "Removing authorization for labels allowed", requestUser, labelAuths, null);
RegionActionResult successResult = RegionActionResult.newBuilder().build();
for (OperationStatus status : opStatus) {
if (status.getOperationStatusCode() == SUCCESS) {
response.addResult(successResult);
} else {
RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();
failureResultBuilder.setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));
response.addResult(failureResultBuilder.build());
}
}
} catch (AccessDeniedException e) {
logResult(false, "clearAuths", e.getMessage(), requestUser, labelAuths, null);
LOG.error("User is not having required permissions to clear authorization", e);
setExceptionResults(auths.size(), e, response);
} catch (IOException e) {
LOG.error(e);
setExceptionResults(auths.size(), e, response);
}
}
done.run(response.build());
}
use of org.apache.hadoop.hbase.DoNotRetryIOException in project hbase by apache.
the class AccessController method preAppend.
@Override
public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append) throws IOException {
User user = getActiveUser(c);
checkForReservedTagPresence(user, append);
// Require WRITE permission to the table, CF, and the KV to be appended
RegionCoprocessorEnvironment env = c.getEnvironment();
Map<byte[], ? extends Collection<Cell>> families = append.getFamilyCellMap();
AuthResult authResult = permissionGranted(OpType.APPEND, user, env, families, Action.WRITE);
logResult(authResult);
if (!authResult.isAllowed()) {
if (cellFeaturesEnabled && !compatibleEarlyTermination) {
append.setAttribute(CHECK_COVERING_PERM, TRUE);
} else if (authorizationEnabled) {
throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
}
}
byte[] bytes = append.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
if (bytes != null) {
if (cellFeaturesEnabled) {
addCellPermissions(bytes, append.getFamilyCellMap());
} else {
throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
}
}
return null;
}
use of org.apache.hadoop.hbase.DoNotRetryIOException in project hbase by apache.
the class BlockingRpcConnection method setupIOstreams.
private void setupIOstreams() throws IOException {
if (socket != null) {
// The connection is already available. Perfect.
return;
}
if (this.rpcClient.failedServers.isFailedServer(remoteId.getAddress())) {
if (LOG.isDebugEnabled()) {
LOG.debug("Not trying to connect to " + remoteId.address + " this server is in the failed servers list");
}
throw new FailedServerException("This server is in the failed servers list: " + remoteId.address);
}
try {
if (LOG.isDebugEnabled()) {
LOG.debug("Connecting to " + remoteId.address);
}
short numRetries = 0;
final short MAX_RETRIES = 5;
while (true) {
setupConnection();
InputStream inStream = NetUtils.getInputStream(socket);
// This creates a socket with a write timeout. This timeout cannot be changed.
OutputStream outStream = NetUtils.getOutputStream(socket, this.rpcClient.writeTO);
// Write out the preamble -- MAGIC, version, and auth to use.
writeConnectionHeaderPreamble(outStream);
if (useSasl) {
final InputStream in2 = inStream;
final OutputStream out2 = outStream;
UserGroupInformation ticket = getUGI();
boolean continueSasl;
if (ticket == null) {
throw new FatalConnectionException("ticket/user is null");
}
try {
continueSasl = ticket.doAs(new PrivilegedExceptionAction<Boolean>() {
@Override
public Boolean run() throws IOException {
return setupSaslConnection(in2, out2);
}
});
} catch (Exception ex) {
ExceptionUtil.rethrowIfInterrupt(ex);
handleSaslConnectionFailure(numRetries++, MAX_RETRIES, ex, ticket);
continue;
}
if (continueSasl) {
// Sasl connect is successful. Let's set up Sasl i/o streams.
inStream = saslRpcClient.getInputStream();
outStream = saslRpcClient.getOutputStream();
} else {
// fall back to simple auth because server told us so.
// do not change authMethod and useSasl here, we should start from secure when
// reconnecting because regionserver may change its sasl config after restart.
}
}
this.in = new DataInputStream(new BufferedInputStream(inStream));
this.out = new DataOutputStream(new BufferedOutputStream(outStream));
// Now write out the connection header
writeConnectionHeader();
// process the response from server for connection header if necessary
processResponseForConnectionHeader();
break;
}
} catch (Throwable t) {
closeSocket();
IOException e = ExceptionUtil.asInterrupt(t);
if (e == null) {
this.rpcClient.failedServers.addToFailedServers(remoteId.address);
if (t instanceof LinkageError) {
// probably the hbase hadoop version does not match the running hadoop version
e = new DoNotRetryIOException(t);
} else if (t instanceof IOException) {
e = (IOException) t;
} else {
e = new IOException("Could not set up IO Streams to " + remoteId.address, t);
}
}
throw e;
}
// start the receiver thread after the socket connection has been set up
thread = new Thread(this, threadName);
thread.setDaemon(true);
thread.start();
}
Aggregations