HBASE-22581 user with "CREATE" permission can grant, but not revoke permissions on created table

Signed-off-by: Reid Chan <reidchan@apache.org>
This commit is contained in:
Istvan Toth 2019-06-14 08:41:51 +02:00 committed by Reid Chan
parent c339733d66
commit 02f9c8b3b4
2 changed files with 50 additions and 1 deletions

View File

@ -259,7 +259,14 @@ public class AccessControlLists {
Delete d = new Delete(userPermissionRowKey(userPerm)); Delete d = new Delete(userPermissionRowKey(userPerm));
d.addColumns(ACL_LIST_FAMILY, userPermissionKey(userPerm)); d.addColumns(ACL_LIST_FAMILY, userPermissionKey(userPerm));
try { try {
t.delete(d); /**
* We need to run the ACL delete in superuser context, to have
* similar authorization logic to addUserPermission().
* This ensures behaviour is consistent with pre 2.1.1 and 2.2+.
* The permission authorization has already happened here.
* See the TODO comment in addUserPermission for details
*/
t.delete(new ArrayList<>(Arrays.asList(d)));
} finally { } finally {
t.close(); t.close();
} }

View File

@ -3133,4 +3133,46 @@ public class TestAccessController extends SecureTestUtil {
verifyAllowed(action, SUPERUSER); verifyAllowed(action, SUPERUSER);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_ADMIN); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_ADMIN);
} }
@Test
public void testTableAdmin() throws Exception {
// Create a user with table admin permissions only
User userTableAdmin = User.createUserForTesting(conf, "table_admin", new String[0]);
grantOnTable(TEST_UTIL, userTableAdmin.getShortName(), TEST_TABLE, null, null,
Permission.Action.ADMIN);
AccessTestAction grantAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, USER_NONE.getShortName(), TEST_TABLE, null, null,
false, Action.READ);
}
return null;
}
};
AccessTestAction revokeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, USER_NONE.getShortName(), TEST_TABLE, null, null,
Action.READ);
}
return null;
}
};
verifyAllowed(userTableAdmin, grantAction);
verifyAllowed(userTableAdmin, revokeAction);
}
} }