HBASE-24345 [ACL] renameRSGroup should require Admin level permission (#1683)

Signed-off-by: binlijin <binlijin@gmail.com> Signed-off-by: Viraj Jasani <vjasani@apache.org>
2020-05-08 18:56:05 +08:00 · 2020-05-08 18:56:05 +08:00 · 0cd70ed89c
parent 03e5a1402d
commit 0cd70ed89c
3 changed files with 32 additions and 0 deletions
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@ -2685,4 +2685,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
        null, Permission.Action.ADMIN);
  }

+  @Override
+  public void preRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, String oldName,
+      String newName) throws IOException {
+    accessChecker.requirePermission(getActiveUser(ctx), "renameRSGroup",
+      null, Permission.Action.ADMIN);
+  }
 }
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java
@ -331,6 +331,8 @@ public abstract class TestRSGroupsBase {
    boolean postListTablesInRSGroupCalled = false;
    boolean preGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
    boolean postGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
+    boolean preRenameRSGroup = false;
+    boolean postRenameRSGroup = false;

    public void resetFlags() {
      preBalanceRSGroupCalled = false;
@ -361,6 +363,8 @@ public abstract class TestRSGroupsBase {
      postListTablesInRSGroupCalled = false;
      preGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
      postGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
+      preRenameRSGroup = false;
+      postRenameRSGroup = false;
    }

    @Override
@ -523,5 +527,17 @@ public abstract class TestRSGroupsBase {
      ObserverContext<MasterCoprocessorEnvironment> ctx, String groupName) throws IOException {
      postGetConfiguredNamespacesAndTablesInRSGroupCalled = true;
    }
+
+    @Override
+    public void preRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, String oldName,
+      String newName) throws IOException {
+      preRenameRSGroup = true;
+    }
+
+    @Override
+    public void postRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, String oldName,
+      String newName) throws IOException {
+      postRenameRSGroup = true;
+    }
  }
 }
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
@ -319,6 +319,16 @@ public class TestRSGroupsWithACL extends SecureTestUtil {
    validateAdminPermissions(action);
  }

+  @Test
+  public void testRenameRSGroup() throws Exception {
+    AccessTestAction action = () -> {
+      checkPermission("renameRSGroup");
+      return null;
+    };
+
+    validateAdminPermissions(action);
+  }
+
  private void validateAdminPermissions(AccessTestAction action) throws Exception {
    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,