HBASE-14057 HBase shell user_permission should list super users defined on hbase-site.xml

hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java

@@ -155,7 +155,9 @@ public class AccessControlClient {
   }
 
   /**
-   * List all the userPermissions matching the given pattern.
+   * List all the userPermissions matching the given pattern. If pattern is null, the behavior is
+   * dependent on whether user has global admin privileges or not. If yes, the global permissions
+   * along with the list of superusers would be returned. Else, no rows get returned.
    * @param connection The Connection instance to use
    * @param tableRegex The regular expression string to match against
    * @return - returns an array of UserPermissions

hbase-common/src/main/java/org/apache/hadoop/hbase/security/Superusers.java

@@ -100,4 +100,8 @@ public final class Superusers {
     }
     return false;
   }
+
+  public static List<String> getSuperUsers() {
+    return superUsers;
+  }
 }

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java

@@ -2254,6 +2254,13 @@ public class AccessController extends BaseMasterAndRegionObserver
               return AccessControlLists.getUserPermissions(regionEnv.getConfiguration(), null);
             }
           });
+          // Adding superusers explicitly to the result set as AccessControlLists do not store them.
+          // Also using acl as table name to be inline  with the results of global admin and will
+          // help in avoiding any leakage of information about being superusers.
+          for (String user: Superusers.getSuperUsers()) {
+            perms.add(new UserPermission(user.getBytes(), AccessControlLists.ACL_TABLE_NAME, null,
+                Action.values()));
+          }
         }
         response = ResponseConverter.buildGetUserPermissionsResponse(perms);
       } else {

hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java

@@ -26,6 +26,7 @@ import static org.junit.Assert.fail;
 
 import java.io.IOException;
 import java.security.PrivilegedAction;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 
@@ -101,6 +102,7 @@ import org.apache.hadoop.hbase.regionserver.Region;
 import org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost;
 import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost;
 import org.apache.hadoop.hbase.regionserver.ScanType;
+import org.apache.hadoop.hbase.security.Superusers;
 import org.apache.hadoop.hbase.security.User;
 import org.apache.hadoop.hbase.security.access.Permission.Action;
 import org.apache.hadoop.hbase.testclassification.LargeTests;
@@ -1331,6 +1333,11 @@ public class TestAccessController extends SecureTestUtil {
     }
   }
 
+  private boolean hasFoundUserPermission(List<UserPermission> userPermissions,
+                                         List<UserPermission> perms) {
+    return perms.containsAll(userPermissions);
+  }
+
   private boolean hasFoundUserPermission(UserPermission userPermission, List<UserPermission> perms) {
     return perms.contains(userPermission);
   }
@@ -1582,10 +1589,17 @@ public class TestAccessController extends SecureTestUtil {
     } finally {
       acl.close();
     }
-    UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
-      AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
-    assertTrue("Only global users and user admin has permission on table _acl_ per setup",
-      perms.size() == 5 && hasFoundUserPermission(adminPerm, perms));
+    List<UserPermission> adminPerms = new ArrayList<UserPermission>();
+    adminPerms.add(new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
+      AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")));
+    List<String> superUsers = Superusers.getSuperUsers();
+    for(String user: superUsers) {
+      adminPerms.add(new UserPermission(Bytes.toBytes(user), AccessControlLists.ACL_TABLE_NAME,
+          null, null, Action.values()));
+    }
+    assertTrue("Only super users, global users and user admin has permission on table hbase:acl " +
+        "per setup", perms.size() == 5 + superUsers.size() &&
+        hasFoundUserPermission(adminPerms, perms));
   }
 
   /** global operations */