HBASE-24345 [ACL] renameRSGroup should require Admin level permission (#1686)

Signed-off-by: Viraj Jasani <vjasani@apache.org> Signed-off-by: Pankaj <pankajkumar@apache.org>
2020-05-09 23:33:27 +08:00 · 2020-05-09 23:33:27 +08:00 · 11ef0fd752
parent f41c9038e7
commit 11ef0fd752
3 changed files with 19 additions and 6 deletions
--- a/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminEndpoint.java
+++ b/hbase-rsgroup/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupAdminEndpoint.java
@ -458,6 +458,7 @@ public class RSGroupAdminEndpoint implements MasterCoprocessor, MasterObserver {
        if (master.getMasterCoprocessorHost() != null) {
          master.getMasterCoprocessorHost().preRenameRSGroup(oldRSGroup, newRSGroup);
        }
+        checkPermission("renameRSGroup");
        groupAdminServer.renameRSGroup(oldRSGroup, newRSGroup);
        if (master.getMasterCoprocessorHost() != null) {
          master.getMasterCoprocessorHost().postRenameRSGroup(oldRSGroup, newRSGroup);
--- a/hbase-rsgroup/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java
+++ b/hbase-rsgroup/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java
@ -304,8 +304,8 @@ public abstract class TestRSGroupsBase {
    boolean postRemoveServersCalled = false;
    boolean preMoveServersAndTables = false;
    boolean postMoveServersAndTables = false;
-    boolean preReNameRSGroupCalled = false;
-    boolean postReNameRSGroupCalled = false;
+    boolean preRenameRSGroupCalled = false;
+    boolean postRenameRSGroupCalled = false;

    public void resetFlags() {
      preBalanceRSGroupCalled = false;
@ -322,8 +322,8 @@ public abstract class TestRSGroupsBase {
      postRemoveServersCalled = false;
      preMoveServersAndTables = false;
      postMoveServersAndTables = false;
-      preReNameRSGroupCalled = false;
-      postReNameRSGroupCalled = false;
+      preRenameRSGroupCalled = false;
+      postRenameRSGroupCalled = false;
    }

    @Override
@ -420,13 +420,13 @@ public abstract class TestRSGroupsBase {
    @Override
    public void preRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx,
        String oldName, String newName) throws IOException {
-      preReNameRSGroupCalled = true;
+      preRenameRSGroupCalled = true;
    }

    @Override
    public void postRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx,
        String oldName, String newName) throws IOException {
-      postReNameRSGroupCalled = true;
+      postRenameRSGroupCalled = true;
    }
  }

--- a/hbase-rsgroup/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
+++ b/hbase-rsgroup/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
@ -333,4 +333,16 @@ public class TestRSGroupsWithACL extends SecureTestUtil{
    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
        USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
  }
+
+  @Test
+  public void testRenameRSGroup() throws Exception {
+    AccessTestAction action = () -> {
+      rsGroupAdminEndpoint.checkPermission("renameRSGroup");
+      return null;
+    };
+
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
+      USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+  }
 }