HBASE-6062 preCheckAndPut/Delete() checks for READ when also a WRITE is performed

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1344486 13f79535-47bb-0310-9956-ffa450edef68
2012-05-30 22:28:29 +00:00 · 2012-05-30 22:28:29 +00:00 · 3d586b8722
parent 6043c0c401
commit 3d586b8722
2 changed files with 51 additions and 4 deletions
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@ -842,8 +842,9 @@ public class AccessController extends BaseRegionObserver
      final CompareFilter.CompareOp compareOp,
      final WritableByteArrayComparable comparator, final Put put,
      final boolean result) throws IOException {
-    requirePermission(TablePermission.Action.READ, c.getEnvironment(),
-        Arrays.asList(new byte[][]{family}));
+    Collection<byte[]> familyMap = Arrays.asList(new byte[][]{family});
+    requirePermission(TablePermission.Action.READ, c.getEnvironment(), familyMap);
+    requirePermission(TablePermission.Action.WRITE, c.getEnvironment(), familyMap);
    return result;
  }

@ -853,8 +854,9 @@ public class AccessController extends BaseRegionObserver
      final CompareFilter.CompareOp compareOp,
      final WritableByteArrayComparable comparator, final Delete delete,
      final boolean result) throws IOException {
-    requirePermission(TablePermission.Action.READ, c.getEnvironment(),
-        Arrays.asList( new byte[][] {family}));
+    Collection<byte[]> familyMap = Arrays.asList(new byte[][]{family});
+    requirePermission(TablePermission.Action.READ, c.getEnvironment(), familyMap);
+    requirePermission(TablePermission.Action.WRITE, c.getEnvironment(), familyMap);
    return result;
  }

--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@ -539,6 +539,18 @@ public class TestAccessController {
    verifyAllowed(USER_RO, action);
  }

+  private void verifyReadWrite(PrivilegedExceptionAction action) throws Exception {
+    // should be denied
+    verifyDenied(USER_NONE, action);
+    verifyDenied(USER_RO, action);
+
+    // should be allowed
+    verifyAllowed(SUPERUSER, action);
+    verifyAllowed(USER_ADMIN, action);
+    verifyAllowed(USER_OWNER, action);
+    verifyAllowed(USER_RW, action);
+  }
+
  @Test
  public void testRead() throws Exception {
    // get action
@ -615,6 +627,39 @@ public class TestAccessController {
    verifyWrite(incrementAction);
  }

+  @Test
+  public void testReadWrite() throws Exception {
+    // action for checkAndDelete
+    PrivilegedExceptionAction checkAndDeleteAction = new PrivilegedExceptionAction() {
+      public Object run() throws Exception {
+        Delete d = new Delete(Bytes.toBytes("random_row"));
+        d.deleteFamily(TEST_FAMILY);
+
+        HTable t = new HTable(conf, TEST_TABLE);
+        t.checkAndDelete(Bytes.toBytes("random_row"), 
+                         TEST_FAMILY, Bytes.toBytes("q"),
+                         Bytes.toBytes("test_value"), d);
+        return null;
+      }
+    };
+    verifyReadWrite(checkAndDeleteAction);
+
+    // action for checkAndPut()
+    PrivilegedExceptionAction checkAndPut = new PrivilegedExceptionAction() {
+      public Object run() throws Exception {
+        Put p = new Put(Bytes.toBytes("random_row"));
+        p.add(TEST_FAMILY, Bytes.toBytes("Qualifier"), Bytes.toBytes(1));
+
+        HTable t = new HTable(conf, TEST_TABLE);
+        t.checkAndPut(Bytes.toBytes("random_row"), 
+                      TEST_FAMILY, Bytes.toBytes("q"),
+                      Bytes.toBytes("test_value"), p);
+        return null;
+      }
+    };
+    verifyReadWrite(checkAndPut);
+  }
+
  @Test
  public void testGrantRevoke() throws Exception {
    final byte[] tableName = Bytes.toBytes("TempTable");