Example 1 with BlockingRpcChannel
use of org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel in project hbase by apache.
the class HRegionServer method createRegionServerStatusStub.
/**
* Get the current master from ZooKeeper and open the RPC connection to it. To get a fresh
* connection, the current rssStub must be null. Method will block until a master is available.
* You can break from this block by requesting the server stop.
* @param refresh If true then master address will be read from ZK, otherwise use cached data
* @return master + port, or null if server has been stopped
*/
@InterfaceAudience.Private
protected synchronized ServerName createRegionServerStatusStub(boolean refresh) {
if (rssStub != null) {
return masterAddressTracker.getMasterAddress();
}
ServerName sn = null;
long previousLogTime = 0;
RegionServerStatusService.BlockingInterface intRssStub = null;
LockService.BlockingInterface intLockStub = null;
boolean interrupted = false;
try {
while (keepLooping()) {
sn = this.masterAddressTracker.getMasterAddress(refresh);
if (sn == null) {
if (!keepLooping()) {
// give up with no connection.
LOG.debug("No master found and cluster is stopped; bailing out");
return null;
}
if (EnvironmentEdgeManager.currentTime() > (previousLogTime + 1000)) {
LOG.debug("No master found; retry");
previousLogTime = EnvironmentEdgeManager.currentTime();
}
// let's try pull it from ZK directly
refresh = true;
if (sleepInterrupted(200)) {
interrupted = true;
}
continue;
}
try {
BlockingRpcChannel channel = this.rpcClient.createBlockingRpcChannel(sn, userProvider.getCurrent(), shortOperationTimeout);
intRssStub = RegionServerStatusService.newBlockingStub(channel);
intLockStub = LockService.newBlockingStub(channel);
break;
} catch (IOException e) {
if (EnvironmentEdgeManager.currentTime() > (previousLogTime + 1000)) {
e = e instanceof RemoteException ? ((RemoteException) e).unwrapRemoteException() : e;
if (e instanceof ServerNotRunningYetException) {
LOG.info("Master isn't available yet, retrying");
} else {
LOG.warn("Unable to connect to master. Retrying. Error was:", e);
}
previousLogTime = EnvironmentEdgeManager.currentTime();
}
if (sleepInterrupted(200)) {
interrupted = true;
}
}
}
} finally {
if (interrupted) {
Thread.currentThread().interrupt();
}
}
this.rssStub = intRssStub;
this.lockStub = intLockStub;
return sn;
}
Also used :
LockService(org.apache.hadoop.hbase.shaded.protobuf.generated.LockServiceProtos.LockService)
ServerName(org.apache.hadoop.hbase.ServerName)
RegionServerStatusService(org.apache.hadoop.hbase.shaded.protobuf.generated.RegionServerStatusProtos.RegionServerStatusService)
BlockingRpcChannel(org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel)
IOException(java.io.IOException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
RemoteException(org.apache.hadoop.ipc.RemoteException)
ServerNotRunningYetException(org.apache.hadoop.hbase.ipc.ServerNotRunningYetException)
Example 2 with BlockingRpcChannel
use of org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel in project hbase by apache.
the class TestAccessController method testGrantRevoke.
@Test
public void testGrantRevoke() throws Exception {
AccessTestAction grantAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
conn.getAdmin().grant(new UserPermission(USER_RO.getShortName(), Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withActions(Action.READ).build()), false);
}
return null;
}
};
AccessTestAction revokeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
conn.getAdmin().revoke(new UserPermission(USER_RO.getShortName(), Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withActions(Action.READ).build()));
}
return null;
}
};
AccessTestAction getTablePermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
conn.getAdmin().getUserPermissions(GetUserPermissionsRequest.newBuilder(TEST_TABLE).build());
}
return null;
}
};
AccessTestAction getGlobalPermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
conn.getAdmin().getUserPermissions(GetUserPermissionsRequest.newBuilder().build());
}
return null;
}
};
AccessTestAction preGrantAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preGrant(ObserverContextImpl.createAndPrepare(CP_ENV), new UserPermission(USER_RO.getShortName(), Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withActions(Action.READ).build()), false);
return null;
}
};
AccessTestAction preRevokeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preRevoke(ObserverContextImpl.createAndPrepare(CP_ENV), new UserPermission(USER_RO.getShortName(), Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withActions(Action.READ).build()));
return null;
}
};
AccessTestAction grantCPAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, false, Action.READ);
}
return null;
}
};
AccessTestAction revokeCPAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, Action.READ);
}
return null;
}
};
verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
try {
verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(preGrantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(preGrantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(preRevokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(preRevokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(grantCPAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(grantCPAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(revokeCPAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(revokeCPAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
// Cleanup, Grant the revoked permission back to the user
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
}
}
Also used :
Table(org.apache.hadoop.hbase.client.Table)
AccessControlService(org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.AccessControlService)
Connection(org.apache.hadoop.hbase.client.Connection)
BlockingRpcChannel(org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel)
Test(org.junit.Test)
Example 3 with BlockingRpcChannel
use of org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel in project hbase by apache.
the class TestAccessController method testCoprocessorExec.
@Test
public void testCoprocessorExec() throws Exception {
// Set up our ping endpoint service on all regions of our test table
for (JVMClusterUtil.RegionServerThread thread : TEST_UTIL.getMiniHBaseCluster().getRegionServerThreads()) {
HRegionServer rs = thread.getRegionServer();
for (HRegion region : rs.getRegions(TEST_TABLE)) {
region.getCoprocessorHost().load(PingCoprocessor.class, Coprocessor.PRIORITY_USER, conf);
}
}
// Create users for testing, and grant EXEC privileges on our test table
// only to user A
User userA = User.createUserForTesting(conf, "UserA", new String[0]);
User userB = User.createUserForTesting(conf, "UserB", new String[0]);
grantOnTable(TEST_UTIL, userA.getShortName(), TEST_TABLE, null, null, Permission.Action.EXEC);
try {
// Create an action for invoking our test endpoint
AccessTestAction execEndpointAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE)) {
BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY);
PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build());
}
return null;
}
};
String namespace = TEST_TABLE.getNamespaceAsString();
// Now grant EXEC to the entire namespace to user B
grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
// User B should now be allowed also
verifyAllowed(execEndpointAction, userA, userB);
revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
// Verify that EXEC permission is checked correctly
verifyDenied(execEndpointAction, userB);
verifyAllowed(execEndpointAction, userA);
} finally {
// Cleanup, revoke the userA privileges
revokeFromTable(TEST_UTIL, userA.getShortName(), TEST_TABLE, null, null, Permission.Action.EXEC);
}
}
Also used :
HRegion(org.apache.hadoop.hbase.regionserver.HRegion)
User(org.apache.hadoop.hbase.security.User)
Table(org.apache.hadoop.hbase.client.Table)
JVMClusterUtil(org.apache.hadoop.hbase.util.JVMClusterUtil)
Connection(org.apache.hadoop.hbase.client.Connection)
BlockingRpcChannel(org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel)
HRegionServer(org.apache.hadoop.hbase.regionserver.HRegionServer)
Test(org.junit.Test)
Example 4 with BlockingRpcChannel
use of org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel in project hbase by apache.
the class TestHMasterRPCException method testRPCException.
@Test
public void testRPCException() throws IOException, InterruptedException, KeeperException {
ServerName sm = master.getServerName();
boolean fakeZNodeDelete = false;
for (int i = 0; i < 20; i++) {
try {
BlockingRpcChannel channel = rpcClient.createBlockingRpcChannel(sm, User.getCurrent(), 0);
MasterProtos.MasterService.BlockingInterface stub = MasterProtos.MasterService.newBlockingStub(channel);
assertTrue(stub.isMasterRunning(null, IsMasterRunningRequest.getDefaultInstance()).getIsMasterRunning());
return;
} catch (ServiceException ex) {
IOException ie = ProtobufUtil.handleRemoteException(ex);
// No SocketTimeoutException here. RpcServer is already started after the construction of
// HMaster.
assertTrue(ie.getMessage().startsWith("org.apache.hadoop.hbase.ipc.ServerNotRunningYetException: Server is not running yet"));
LOG.info("Expected exception: ", ie);
if (!fakeZNodeDelete) {
testUtil.getZooKeeperWatcher().getRecoverableZooKeeper().delete(testUtil.getZooKeeperWatcher().getZNodePaths().masterAddressZNode, -1);
fakeZNodeDelete = true;
}
}
Thread.sleep(1000);
}
}
Also used :
ServiceException(org.apache.hbase.thirdparty.com.google.protobuf.ServiceException)
ServerName(org.apache.hadoop.hbase.ServerName)
BlockingRpcChannel(org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel)
IOException(java.io.IOException)
Test(org.junit.Test)
Example 5 with BlockingRpcChannel
use of org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel in project hbase by apache.
the class TestAccessController method testCheckPermissions.
@Test
public void testCheckPermissions() throws Exception {
// --------------------------------------
// test global permissions
AccessTestAction globalAdmin = new AccessTestAction() {
@Override
public Void run() throws Exception {
checkGlobalPerms(TEST_UTIL, Permission.Action.ADMIN);
return null;
}
};
// verify that only superuser can admin
verifyGlobal(globalAdmin);
// --------------------------------------
// test multiple permissions
AccessTestAction globalReadWrite = new AccessTestAction() {
@Override
public Void run() throws Exception {
checkGlobalPerms(TEST_UTIL, Permission.Action.READ, Permission.Action.WRITE);
return null;
}
};
verifyGlobal(globalReadWrite);
// --------------------------------------
// table/column/qualifier level permissions
final byte[] TEST_Q1 = Bytes.toBytes("q1");
final byte[] TEST_Q2 = Bytes.toBytes("q2");
User userTable = User.createUserForTesting(conf, "user_check_perms_table", new String[0]);
User userColumn = User.createUserForTesting(conf, "user_check_perms_family", new String[0]);
User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]);
grantOnTable(TEST_UTIL, userTable.getShortName(), TEST_TABLE, null, null, Permission.Action.READ);
grantOnTable(TEST_UTIL, userColumn.getShortName(), TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
grantOnTable(TEST_UTIL, userQualifier.getShortName(), TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ);
try {
AccessTestAction tableRead = new AccessTestAction() {
@Override
public Void run() throws Exception {
checkTablePerms(TEST_UTIL, TEST_TABLE, null, null, Permission.Action.READ);
return null;
}
};
AccessTestAction columnRead = new AccessTestAction() {
@Override
public Void run() throws Exception {
checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
return null;
}
};
AccessTestAction qualifierRead = new AccessTestAction() {
@Override
public Void run() throws Exception {
checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ);
return null;
}
};
AccessTestAction multiQualifierRead = new AccessTestAction() {
@Override
public Void run() throws Exception {
checkTablePerms(TEST_UTIL, new Permission[] { Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_Q1).withActions(Permission.Action.READ).build(), Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_Q2).withActions(Permission.Action.READ).build() });
return null;
}
};
AccessTestAction globalAndTableRead = new AccessTestAction() {
@Override
public Void run() throws Exception {
checkTablePerms(TEST_UTIL, new Permission[] { new Permission(Permission.Action.READ), Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build() });
return null;
}
};
AccessTestAction noCheck = new AccessTestAction() {
@Override
public Void run() throws Exception {
checkTablePerms(TEST_UTIL, new Permission[0]);
return null;
}
};
verifyAllowed(tableRead, SUPERUSER, userTable);
verifyDenied(tableRead, userColumn, userQualifier);
verifyAllowed(columnRead, SUPERUSER, userTable, userColumn);
verifyDenied(columnRead, userQualifier);
verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier);
verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn);
verifyDenied(multiQualifierRead, userQualifier);
verifyAllowed(globalAndTableRead, SUPERUSER);
verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier);
verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier);
// --------------------------------------
// test family level multiple permissions
AccessTestAction familyReadWrite = new AccessTestAction() {
@Override
public Void run() throws Exception {
checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ, Permission.Action.WRITE);
return null;
}
};
verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW);
verifyDenied(familyReadWrite, USER_NONE, USER_RO);
// --------------------------------------
// check for wrong table region
CheckPermissionsRequest checkRequest = CheckPermissionsRequest.newBuilder().addPermission(AccessControlProtos.Permission.newBuilder().setType(AccessControlProtos.Permission.Type.Table).setTablePermission(AccessControlProtos.TablePermission.newBuilder().setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE)).addAction(AccessControlProtos.Permission.Action.CREATE))).build();
Table acl = systemUserConnection.getTable(PermissionStorage.ACL_TABLE_NAME);
try {
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(channel);
try {
// but ask for TablePermissions for TEST_TABLE
protocol.checkPermissions(null, checkRequest);
fail("this should have thrown CoprocessorException");
} catch (ServiceException ex) {
// expected
}
} finally {
acl.close();
}
} finally {
revokeFromTable(TEST_UTIL, userTable.getShortName(), TEST_TABLE, null, null, Permission.Action.READ);
revokeFromTable(TEST_UTIL, userColumn.getShortName(), TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
revokeFromTable(TEST_UTIL, userQualifier.getShortName(), TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ);
}
}
Also used :
User(org.apache.hadoop.hbase.security.User)
Table(org.apache.hadoop.hbase.client.Table)
AccessControlService(org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.AccessControlService)
ServiceException(org.apache.hbase.thirdparty.com.google.protobuf.ServiceException)
FsPermission(org.apache.hadoop.fs.permission.FsPermission)
BlockingRpcChannel(org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel)
CheckPermissionsRequest(org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.CheckPermissionsRequest)
Test(org.junit.Test)
Aggregations
BlockingRpcChannel (org.apache.hbase.thirdparty.com.google.protobuf.BlockingRpcChannel)7
Test (org.junit.Test)6
Table (org.apache.hadoop.hbase.client.Table)5
Connection (org.apache.hadoop.hbase.client.Connection)4
AccessControlService (org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.AccessControlService)4
User (org.apache.hadoop.hbase.security.User)3
IOException (java.io.IOException)2
ServerName (org.apache.hadoop.hbase.ServerName)2
ServiceException (org.apache.hbase.thirdparty.com.google.protobuf.ServiceException)2
PrivilegedAction (java.security.PrivilegedAction)1
FsPermission (org.apache.hadoop.fs.permission.FsPermission)1
DoNotRetryIOException (org.apache.hadoop.hbase.DoNotRetryIOException)1
ServerNotRunningYetException (org.apache.hadoop.hbase.ipc.ServerNotRunningYetException)1
HRegion (org.apache.hadoop.hbase.regionserver.HRegion)1
HRegionServer (org.apache.hadoop.hbase.regionserver.HRegionServer)1
Action (org.apache.hadoop.hbase.security.access.Permission.Action)1
CheckPermissionsRequest (org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos.CheckPermissionsRequest)1
LockService (org.apache.hadoop.hbase.shaded.protobuf.generated.LockServiceProtos.LockService)1
RegionServerStatusService (org.apache.hadoop.hbase.shaded.protobuf.generated.RegionServerStatusProtos.RegionServerStatusService)1
JVMClusterUtil (org.apache.hadoop.hbase.util.JVMClusterUtil)1
