HBASE-12098 User granted namespace table create permissions can't create a table (Srikanth Srungarapu)
This commit is contained in:
parent
8d1a87fabc
commit
321a6085fb
|
@ -487,7 +487,8 @@ public class AccessController extends BaseMasterAndRegionObserver
|
||||||
private void requireGlobalPermission(String request, Action perm, TableName tableName,
|
private void requireGlobalPermission(String request, Action perm, TableName tableName,
|
||||||
Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {
|
Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {
|
||||||
User user = getActiveUser();
|
User user = getActiveUser();
|
||||||
if (authManager.authorize(user, perm)) {
|
if (authManager.authorize(user, perm) || (tableName != null &&
|
||||||
|
authManager.authorize(user, tableName.getNamespaceAsString(), perm))) {
|
||||||
logResult(AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap));
|
logResult(AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap));
|
||||||
} else {
|
} else {
|
||||||
logResult(AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap));
|
logResult(AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap));
|
||||||
|
|
|
@ -22,10 +22,16 @@ import static org.junit.Assert.assertTrue;
|
||||||
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
import com.google.common.collect.ListMultimap;
|
||||||
|
import com.google.protobuf.BlockingRpcChannel;
|
||||||
|
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.hbase.HBaseTestingUtility;
|
import org.apache.hadoop.hbase.HBaseTestingUtility;
|
||||||
|
import org.apache.hadoop.hbase.HColumnDescriptor;
|
||||||
import org.apache.hadoop.hbase.HConstants;
|
import org.apache.hadoop.hbase.HConstants;
|
||||||
|
import org.apache.hadoop.hbase.HTableDescriptor;
|
||||||
import org.apache.hadoop.hbase.NamespaceDescriptor;
|
import org.apache.hadoop.hbase.NamespaceDescriptor;
|
||||||
|
import org.apache.hadoop.hbase.TableName;
|
||||||
import org.apache.hadoop.hbase.client.Get;
|
import org.apache.hadoop.hbase.client.Get;
|
||||||
import org.apache.hadoop.hbase.client.HTable;
|
import org.apache.hadoop.hbase.client.HTable;
|
||||||
import org.apache.hadoop.hbase.client.Result;
|
import org.apache.hadoop.hbase.client.Result;
|
||||||
|
@ -39,14 +45,15 @@ import org.apache.hadoop.hbase.security.access.Permission.Action;
|
||||||
import org.apache.hadoop.hbase.testclassification.MediumTests;
|
import org.apache.hadoop.hbase.testclassification.MediumTests;
|
||||||
import org.apache.hadoop.hbase.testclassification.SecurityTests;
|
import org.apache.hadoop.hbase.testclassification.SecurityTests;
|
||||||
import org.apache.hadoop.hbase.util.Bytes;
|
import org.apache.hadoop.hbase.util.Bytes;
|
||||||
|
|
||||||
import org.junit.AfterClass;
|
import org.junit.AfterClass;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.junit.experimental.categories.Category;
|
import org.junit.experimental.categories.Category;
|
||||||
|
|
||||||
import com.google.common.collect.ListMultimap;
|
import java.util.List;
|
||||||
import com.google.protobuf.BlockingRpcChannel;
|
|
||||||
|
import static org.junit.Assert.assertEquals;
|
||||||
|
import static org.junit.Assert.assertTrue;
|
||||||
|
|
||||||
@Category({SecurityTests.class, MediumTests.class})
|
@Category({SecurityTests.class, MediumTests.class})
|
||||||
public class TestNamespaceCommands extends SecureTestUtil {
|
public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
|
@ -65,6 +72,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
// user with permission on namespace for testing all operations.
|
// user with permission on namespace for testing all operations.
|
||||||
private static User USER_NSP_WRITE;
|
private static User USER_NSP_WRITE;
|
||||||
|
|
||||||
|
private static String TEST_TABLE = TestNamespace + ":testtable";
|
||||||
|
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
|
||||||
|
|
||||||
@BeforeClass
|
@BeforeClass
|
||||||
public static void beforeClass() throws Exception {
|
public static void beforeClass() throws Exception {
|
||||||
conf = UTIL.getConfiguration();
|
conf = UTIL.getConfiguration();
|
||||||
|
@ -86,7 +96,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build());
|
UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build());
|
||||||
|
|
||||||
grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(),
|
grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(),
|
||||||
TestNamespace, Permission.Action.WRITE);
|
TestNamespace, Permission.Action.WRITE, Permission.Action.CREATE);
|
||||||
}
|
}
|
||||||
|
|
||||||
@AfterClass
|
@AfterClass
|
||||||
|
@ -190,4 +200,23 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
verifyAllowed(revokeAction, SUPERUSER);
|
verifyAllowed(revokeAction, SUPERUSER);
|
||||||
verifyDenied(revokeAction, USER_CREATE, USER_RW);
|
verifyDenied(revokeAction, USER_CREATE, USER_RW);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCreateTableWithNamespace() throws Exception {
|
||||||
|
AccessTestAction createTable = new AccessTestAction() {
|
||||||
|
@Override
|
||||||
|
public Object run() throws Exception {
|
||||||
|
HTableDescriptor htd = new HTableDescriptor(TableName.valueOf(TEST_TABLE));
|
||||||
|
htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
|
||||||
|
ACCESS_CONTROLLER.preCreateTable(ObserverContext.createAndPrepare(CP_ENV, null), htd, null);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
// Only users with create permissions on namespace should be able to create a new table
|
||||||
|
verifyAllowed(createTable, SUPERUSER, USER_NSP_WRITE);
|
||||||
|
|
||||||
|
// all others should be denied
|
||||||
|
verifyDenied(createTable, USER_CREATE, USER_RW);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue