HBASE-12622 user_permission should require global admin to display global and ns permissions
This commit is contained in:
parent
1615a4da62
commit
398e4f7ccf
|
@ -2088,6 +2088,7 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
});
|
||||
} else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {
|
||||
final String namespace = request.getNamespaceName().toStringUtf8();
|
||||
requireGlobalPermission("userPermissions", Action.ADMIN, namespace);
|
||||
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
|
||||
@Override
|
||||
public List<UserPermission> run() throws Exception {
|
||||
|
@ -2096,6 +2097,7 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
}
|
||||
});
|
||||
} else {
|
||||
requirePermission("userPermissions", Action.ADMIN);
|
||||
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
|
||||
@Override
|
||||
public List<UserPermission> run() throws Exception {
|
||||
|
|
|
@ -992,7 +992,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
}
|
||||
};
|
||||
|
||||
AccessTestAction getPermissionsAction = new AccessTestAction() {
|
||||
AccessTestAction getTablePermissionsAction = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||
|
@ -1008,14 +1008,34 @@ public class TestAccessController extends SecureTestUtil {
|
|||
}
|
||||
};
|
||||
|
||||
AccessTestAction getGlobalPermissionsAction = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||
try {
|
||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
||||
AccessControlService.BlockingInterface protocol =
|
||||
AccessControlService.newBlockingStub(service);
|
||||
ProtobufUtil.getUserPermissions(protocol);
|
||||
} finally {
|
||||
acl.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
||||
verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER);
|
||||
verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
|
||||
|
||||
verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER);
|
||||
verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
|
||||
|
||||
verifyAllowed(getPermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
|
||||
verifyDenied(getPermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
|
||||
verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
|
||||
verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
|
||||
|
||||
verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
|
||||
verifyDeniedWithException(getGlobalPermissionsAction, USER_CREATE,
|
||||
USER_OWNER, USER_RW, USER_RO, USER_NONE);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
@ -52,8 +52,8 @@ import com.google.protobuf.BlockingRpcChannel;
|
|||
@Category(MediumTests.class)
|
||||
public class TestNamespaceCommands extends SecureTestUtil {
|
||||
private static HBaseTestingUtility UTIL = new HBaseTestingUtility();
|
||||
private static String TestNamespace = "ns1";
|
||||
private static String TestNamespace2 = "ns2";
|
||||
private static String TEST_NAMESPACE = "ns1";
|
||||
private static String TEST_NAMESPACE2 = "ns2";
|
||||
private static Configuration conf;
|
||||
private static MasterCoprocessorEnvironment CP_ENV;
|
||||
private static AccessController ACCESS_CONTROLLER;
|
||||
|
@ -69,7 +69,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
// user with admin permission on namespace.
|
||||
private static User USER_NSP_ADMIN;
|
||||
|
||||
private static String TEST_TABLE = TestNamespace + ":testtable";
|
||||
private static String TEST_TABLE = TEST_NAMESPACE + ":testtable";
|
||||
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
|
||||
|
||||
@BeforeClass
|
||||
|
@ -91,20 +91,20 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
.getMasterCoprocessorHost()
|
||||
.findCoprocessor(AccessController.class.getName());
|
||||
|
||||
UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build());
|
||||
UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace2).build());
|
||||
UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE).build());
|
||||
UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE2).build());
|
||||
|
||||
grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(),
|
||||
TestNamespace, Permission.Action.WRITE, Permission.Action.CREATE);
|
||||
TEST_NAMESPACE, Permission.Action.WRITE, Permission.Action.CREATE);
|
||||
|
||||
grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TestNamespace, Permission.Action.ADMIN);
|
||||
grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TestNamespace2, Permission.Action.ADMIN);
|
||||
grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TEST_NAMESPACE, Permission.Action.ADMIN);
|
||||
grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void afterClass() throws Exception {
|
||||
UTIL.getHBaseAdmin().deleteNamespace(TestNamespace);
|
||||
UTIL.getHBaseAdmin().deleteNamespace(TestNamespace2);
|
||||
UTIL.getHBaseAdmin().deleteNamespace(TEST_NAMESPACE);
|
||||
UTIL.getHBaseAdmin().deleteNamespace(TEST_NAMESPACE2);
|
||||
UTIL.shutdownMiniCluster();
|
||||
}
|
||||
|
||||
|
@ -114,18 +114,18 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||
try {
|
||||
// Grant and check state in ACL table
|
||||
grantOnNamespace(UTIL, userTestNamespace, TestNamespace,
|
||||
grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
|
||||
assertTrue(result != null);
|
||||
ListMultimap<String, TablePermission> perms =
|
||||
AccessControlLists.getNamespacePermissions(conf, TestNamespace);
|
||||
AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
|
||||
assertEquals(3, perms.size());
|
||||
List<TablePermission> namespacePerms = perms.get(userTestNamespace);
|
||||
assertTrue(perms.containsKey(userTestNamespace));
|
||||
assertEquals(1, namespacePerms.size());
|
||||
assertEquals(TestNamespace,
|
||||
assertEquals(TEST_NAMESPACE,
|
||||
namespacePerms.get(0).getNamespace());
|
||||
assertEquals(null, namespacePerms.get(0).getFamily());
|
||||
assertEquals(null, namespacePerms.get(0).getQualifier());
|
||||
|
@ -133,10 +133,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getActions()[0]);
|
||||
|
||||
// Revoke and check state in ACL table
|
||||
revokeFromNamespace(UTIL, userTestNamespace, TestNamespace,
|
||||
revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
perms = AccessControlLists.getNamespacePermissions(conf, TestNamespace);
|
||||
perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
|
||||
assertEquals(2, perms.size());
|
||||
} finally {
|
||||
acl.close();
|
||||
|
@ -148,7 +148,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
AccessTestAction modifyNamespace = new AccessTestAction() {
|
||||
public Object run() throws Exception {
|
||||
ACCESS_CONTROLLER.preModifyNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
|
||||
NamespaceDescriptor.create(TestNamespace).addConfiguration("abc", "156").build());
|
||||
NamespaceDescriptor.create(TEST_NAMESPACE).addConfiguration("abc", "156").build());
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
@ -163,7 +163,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
AccessTestAction createNamespace = new AccessTestAction() {
|
||||
public Object run() throws Exception {
|
||||
ACCESS_CONTROLLER.preCreateNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
|
||||
NamespaceDescriptor.create(TestNamespace2).build());
|
||||
NamespaceDescriptor.create(TEST_NAMESPACE2).build());
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
@ -171,7 +171,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
AccessTestAction deleteNamespace = new AccessTestAction() {
|
||||
public Object run() throws Exception {
|
||||
ACCESS_CONTROLLER.preDeleteNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
|
||||
TestNamespace2);
|
||||
TEST_NAMESPACE2);
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
@ -200,7 +200,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
||||
AccessControlService.BlockingInterface protocol =
|
||||
AccessControlService.newBlockingStub(service);
|
||||
ProtobufUtil.grant(protocol, testUser, TestNamespace, Action.WRITE);
|
||||
ProtobufUtil.grant(protocol, testUser, TEST_NAMESPACE, Action.WRITE);
|
||||
} finally {
|
||||
acl.close();
|
||||
}
|
||||
|
@ -216,7 +216,23 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
||||
AccessControlService.BlockingInterface protocol =
|
||||
AccessControlService.newBlockingStub(service);
|
||||
ProtobufUtil.revoke(protocol, testUser, TestNamespace, Action.WRITE);
|
||||
ProtobufUtil.revoke(protocol, testUser, TEST_NAMESPACE, Action.WRITE);
|
||||
} finally {
|
||||
acl.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
||||
AccessTestAction getPermissionsAction = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||
try {
|
||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
||||
AccessControlService.BlockingInterface protocol =
|
||||
AccessControlService.newBlockingStub(service);
|
||||
ProtobufUtil.getUserPermissions(protocol, Bytes.toBytes(TEST_NAMESPACE));
|
||||
} finally {
|
||||
acl.close();
|
||||
}
|
||||
|
@ -230,6 +246,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
verifyDenied(grantAction, USER_CREATE, USER_RW);
|
||||
verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN);
|
||||
verifyDenied(revokeAction, USER_CREATE, USER_RW);
|
||||
|
||||
// Only an admin should be able to get the user permission
|
||||
verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN);
|
||||
verifyDeniedWithException(revokeAction, USER_CREATE, USER_RW);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
Loading…
Reference in New Issue