ACCUMULO-4140 Store root username in plaintext in ZooKeeper when using Kerberos.
Signed-off-by: Josh Elser <els...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/a7e45df2 Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/a7e45df2 Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/a7e45df2 Branch: refs/heads/master Commit: a7e45df2d97faa81ca76ba4bc15555aadee4dc0b Parents: c283f4a Author: William Slacum <ujustgotbi...@apache.org> Authored: Mon Feb 15 14:02:08 2016 -0800 Committer: Josh Elser <els...@apache.org> Committed: Wed Feb 17 13:04:32 2016 -0500 ---------------------------------------------------------------------- .../server/security/handler/KerberosAuthenticator.java | 9 +++++---- .../org/apache/accumulo/test/functional/KerberosIT.java | 12 ++++++++++++ 2 files changed, 17 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/accumulo/blob/a7e45df2/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java ---------------------------------------------------------------------- diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java b/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java index 0aecfbf..018c901 100644 --- a/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java +++ b/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java @@ -100,12 +100,13 @@ public class KerberosAuthenticator implements Authenticator { log.info("Removed " + zkUserPath + "/" + " from zookeeper"); } - principal = Base64.encodeBase64String(principal.getBytes(UTF_8)); - // prep parent node of users with root username - zoo.putPersistentData(zkUserPath, principal.getBytes(UTF_8), NodeExistsPolicy.FAIL); + // ACCUMULO-4140 The root user needs to be stored un-base64 encoded in the znode's value + byte[] principalData = principal.getBytes(UTF_8); + zoo.putPersistentData(zkUserPath, principalData, NodeExistsPolicy.FAIL); - createUserNodeInZk(principal); + // Create the root user in ZK using base64 encoded name (since the name is included in the znode) + createUserNodeInZk(Base64.encodeBase64String(principalData)); } } catch (KeeperException | InterruptedException e) { log.error("Failed to initialize security", e); http://git-wip-us.apache.org/repos/asf/accumulo/blob/a7e45df2/test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java ---------------------------------------------------------------------- diff --git a/test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java b/test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java index 596676a..612718d 100644 --- a/test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java +++ b/test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java @@ -556,6 +556,18 @@ public class KerberosIT extends AccumuloIT { identifier.getExpirationDate() - identifier.getIssueDate() <= (5 * 60 * 1000)); } + @Test(expected = AccumuloSecurityException.class) + public void testRootUserHasIrrevocablePermissions() throws Exception { + // Login as the client (provided to `accumulo init` as the "root" user) + UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); + + final Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); + + // The server-side implementation should prevent the revocation of the 'root' user's systems permissions + // because once they're gone, it's possible that they could never be restored. + conn.securityOperations().revokeSystemPermission(rootUser.getPrincipal(), SystemPermission.GRANT); + } + /** * Creates a table, adds a record to it, and then compacts the table. A simple way to make sure that the system user exists (since the master does an RPC to * the tserver which will create the system user if it doesn't already exist).
