Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-14057 HBase shell user_permission should list super users defined on hbase-site.xml

This commit is contained in:
Srikanth Srungarapu 2015-07-28 11:33:52 -07:00
parent 34f9a84445
commit 1d4c2452e7
4 changed files with 41 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java
View File

@ -155,7 +155,9 @@ public class AccessControlClient {
} }
/** /**
* List all the userPermissions matching the given pattern. * List all the userPermissions matching the given pattern. If pattern is null, the behavior is
* dependent on whether user has global admin privileges or not. If yes, the global permissions
* along with the list of superusers would be returned. Else, no rows get returned.
* @param connection The Connection instance to use * @param connection The Connection instance to use
* @param tableRegex The regular expression string to match against * @param tableRegex The regular expression string to match against
* @return - returns an array of UserPermissions * @return - returns an array of UserPermissions

4
hbase-common/src/main/java/org/apache/hadoop/hbase/security/Superusers.java
View File

@ -100,4 +100,8 @@ public final class Superusers {
} }
return false; return false;
} }
public static List<String> getSuperUsers() {
return superUsers;
}
} }

7
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
View File

@ -2254,6 +2254,13 @@ public class AccessController extends BaseMasterAndRegionObserver
return AccessControlLists.getUserPermissions(regionEnv.getConfiguration(), null); return AccessControlLists.getUserPermissions(regionEnv.getConfiguration(), null);
} }
}); });
// Adding superusers explicitly to the result set as AccessControlLists do not store them.
// Also using acl as table name to be inline with the results of global admin and will
// help in avoiding any leakage of information about being superusers.
for (String user: Superusers.getSuperUsers()) {
perms.add(new UserPermission(user.getBytes(), AccessControlLists.ACL_TABLE_NAME, null,
Action.values()));
}
} }
response = ResponseConverter.buildGetUserPermissionsResponse(perms); response = ResponseConverter.buildGetUserPermissionsResponse(perms);
} else { } else {

22
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -26,6 +26,7 @@ import static org.junit.Assert.fail;
import java.io.IOException; import java.io.IOException;
import java.security.PrivilegedAction; import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
@ -101,6 +102,7 @@ import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost; import org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost;
import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost; import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost;
import org.apache.hadoop.hbase.regionserver.ScanType; import org.apache.hadoop.hbase.regionserver.ScanType;
import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.Permission.Action; import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.hadoop.hbase.testclassification.LargeTests; import org.apache.hadoop.hbase.testclassification.LargeTests;
@ -1331,6 +1333,11 @@ public class TestAccessController extends SecureTestUtil {
} }
} }
private boolean hasFoundUserPermission(List<UserPermission> userPermissions,
List<UserPermission> perms) {
return perms.containsAll(userPermissions);
}
private boolean hasFoundUserPermission(UserPermission userPermission, List<UserPermission> perms) { private boolean hasFoundUserPermission(UserPermission userPermission, List<UserPermission> perms) {
return perms.contains(userPermission); return perms.contains(userPermission);
} }
@ -1582,10 +1589,17 @@ public class TestAccessController extends SecureTestUtil {
} finally { } finally {
acl.close(); acl.close();
} }
UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), List<UserPermission> adminPerms = new ArrayList<UserPermission>();
AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")); adminPerms.add(new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
assertTrue("Only global users and user admin has permission on table _acl_ per setup", AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")));
perms.size() == 5 && hasFoundUserPermission(adminPerm, perms)); List<String> superUsers = Superusers.getSuperUsers();
for(String user: superUsers) {
adminPerms.add(new UserPermission(Bytes.toBytes(user), AccessControlLists.ACL_TABLE_NAME,
null, null, Action.values()));
}
assertTrue("Only super users, global users and user admin has permission on table hbase:acl " +
"per setup", perms.size() == 5 + superUsers.size() &&
hasFoundUserPermission(adminPerms, perms));
} }
/** global operations */ /** global operations */