HBASE-12098 User granted namespace table create permissions can't create a table (Srikanth Srungarapu)

This commit is contained in:
Matteo Bertozzi 2014-09-30 19:10:00 +01:00
parent 8d1a87fabc
commit 321a6085fb
2 changed files with 35 additions and 5 deletions

View File

@ -487,7 +487,8 @@ public class AccessController extends BaseMasterAndRegionObserver
private void requireGlobalPermission(String request, Action perm, TableName tableName, private void requireGlobalPermission(String request, Action perm, TableName tableName,
Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException { Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {
User user = getActiveUser(); User user = getActiveUser();
if (authManager.authorize(user, perm)) { if (authManager.authorize(user, perm) || (tableName != null &&
authManager.authorize(user, tableName.getNamespaceAsString(), perm))) {
logResult(AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap)); logResult(AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap));
} else { } else {
logResult(AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap)); logResult(AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap));

View File

@ -22,10 +22,16 @@ import static org.junit.Assert.assertTrue;
import java.util.List; import java.util.List;
import com.google.common.collect.ListMultimap;
import com.google.protobuf.BlockingRpcChannel;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.HColumnDescriptor;
import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.HTableDescriptor;
import org.apache.hadoop.hbase.NamespaceDescriptor; import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.Get; import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.HTable; import org.apache.hadoop.hbase.client.HTable;
import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.Result;
@ -39,14 +45,15 @@ import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.hadoop.hbase.testclassification.MediumTests; import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.testclassification.SecurityTests; import org.apache.hadoop.hbase.testclassification.SecurityTests;
import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.Bytes;
import org.junit.AfterClass; import org.junit.AfterClass;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
import org.junit.experimental.categories.Category; import org.junit.experimental.categories.Category;
import com.google.common.collect.ListMultimap; import java.util.List;
import com.google.protobuf.BlockingRpcChannel;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
@Category({SecurityTests.class, MediumTests.class}) @Category({SecurityTests.class, MediumTests.class})
public class TestNamespaceCommands extends SecureTestUtil { public class TestNamespaceCommands extends SecureTestUtil {
@ -65,6 +72,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
// user with permission on namespace for testing all operations. // user with permission on namespace for testing all operations.
private static User USER_NSP_WRITE; private static User USER_NSP_WRITE;
private static String TEST_TABLE = TestNamespace + ":testtable";
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
@BeforeClass @BeforeClass
public static void beforeClass() throws Exception { public static void beforeClass() throws Exception {
conf = UTIL.getConfiguration(); conf = UTIL.getConfiguration();
@ -86,7 +96,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build()); UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build());
grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(), grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(),
TestNamespace, Permission.Action.WRITE); TestNamespace, Permission.Action.WRITE, Permission.Action.CREATE);
} }
@AfterClass @AfterClass
@ -190,4 +200,23 @@ public class TestNamespaceCommands extends SecureTestUtil {
verifyAllowed(revokeAction, SUPERUSER); verifyAllowed(revokeAction, SUPERUSER);
verifyDenied(revokeAction, USER_CREATE, USER_RW); verifyDenied(revokeAction, USER_CREATE, USER_RW);
} }
@Test
public void testCreateTableWithNamespace() throws Exception {
AccessTestAction createTable = new AccessTestAction() {
@Override
public Object run() throws Exception {
HTableDescriptor htd = new HTableDescriptor(TableName.valueOf(TEST_TABLE));
htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
ACCESS_CONTROLLER.preCreateTable(ObserverContext.createAndPrepare(CP_ENV, null), htd, null);
return null;
}
};
// Only users with create permissions on namespace should be able to create a new table
verifyAllowed(createTable, SUPERUSER, USER_NSP_WRITE);
// all others should be denied
verifyDenied(createTable, USER_CREATE, USER_RW);
}
} }