HBASE-7373 table should not be required in AccessControlService
git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1424604 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
cdf88c07dc
commit
4480a9f6eb
|
@ -4073,7 +4073,7 @@ public final class AccessControlProtos {
|
|||
public interface UserPermissionsRequestOrBuilder
|
||||
extends com.google.protobuf.MessageOrBuilder {
|
||||
|
||||
// required bytes table = 1;
|
||||
// optional bytes table = 1;
|
||||
boolean hasTable();
|
||||
com.google.protobuf.ByteString getTable();
|
||||
}
|
||||
|
@ -4106,7 +4106,7 @@ public final class AccessControlProtos {
|
|||
}
|
||||
|
||||
private int bitField0_;
|
||||
// required bytes table = 1;
|
||||
// optional bytes table = 1;
|
||||
public static final int TABLE_FIELD_NUMBER = 1;
|
||||
private com.google.protobuf.ByteString table_;
|
||||
public boolean hasTable() {
|
||||
|
@ -4124,10 +4124,6 @@ public final class AccessControlProtos {
|
|||
byte isInitialized = memoizedIsInitialized;
|
||||
if (isInitialized != -1) return isInitialized == 1;
|
||||
|
||||
if (!hasTable()) {
|
||||
memoizedIsInitialized = 0;
|
||||
return false;
|
||||
}
|
||||
memoizedIsInitialized = 1;
|
||||
return true;
|
||||
}
|
||||
|
@ -4376,10 +4372,6 @@ public final class AccessControlProtos {
|
|||
}
|
||||
|
||||
public final boolean isInitialized() {
|
||||
if (!hasTable()) {
|
||||
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -4417,7 +4409,7 @@ public final class AccessControlProtos {
|
|||
|
||||
private int bitField0_;
|
||||
|
||||
// required bytes table = 1;
|
||||
// optional bytes table = 1;
|
||||
private com.google.protobuf.ByteString table_ = com.google.protobuf.ByteString.EMPTY;
|
||||
public boolean hasTable() {
|
||||
return ((bitField0_ & 0x00000001) == 0x00000001);
|
||||
|
@ -6425,7 +6417,7 @@ public final class AccessControlProtos {
|
|||
"\017.UserPermission\"\017\n\rGrantResponse\"4\n\rRev" +
|
||||
"okeRequest\022#\n\npermission\030\001 \002(\0132\017.UserPer" +
|
||||
"mission\"\020\n\016RevokeResponse\"\'\n\026UserPermiss" +
|
||||
"ionsRequest\022\r\n\005table\030\001 \002(\014\">\n\027UserPermis" +
|
||||
"ionsRequest\022\r\n\005table\030\001 \001(\014\">\n\027UserPermis" +
|
||||
"sionsResponse\022#\n\npermission\030\001 \003(\0132\017.User" +
|
||||
"Permission\":\n\027CheckPermissionsRequest\022\037\n" +
|
||||
"\npermission\030\001 \003(\0132\013.Permission\"\032\n\030CheckP" +
|
||||
|
|
|
@ -70,7 +70,7 @@ message RevokeResponse {
|
|||
|
||||
|
||||
message UserPermissionsRequest {
|
||||
required bytes table = 1;
|
||||
optional bytes table = 1;
|
||||
}
|
||||
|
||||
message UserPermissionsResponse {
|
||||
|
|
|
@ -1142,8 +1142,11 @@ public class AccessController extends BaseRegionObserver
|
|||
public void getUserPermissions(RpcController controller,
|
||||
AccessControlProtos.UserPermissionsRequest request,
|
||||
RpcCallback<AccessControlProtos.UserPermissionsResponse> done) {
|
||||
byte[] table = request.getTable().toByteArray();
|
||||
AccessControlProtos.UserPermissionsResponse response = null;
|
||||
byte[] table = null;
|
||||
if (request.hasTable()) {
|
||||
table = request.getTable().toByteArray();
|
||||
}
|
||||
try {
|
||||
// only allowed to be called on _acl_ region
|
||||
if (aclRegion) {
|
||||
|
|
|
@ -352,6 +352,7 @@ public class TableAuthManager {
|
|||
if (authorizeUser(username, action)) {
|
||||
return true;
|
||||
}
|
||||
if (table == null) table = AccessControlLists.ACL_TABLE_NAME;
|
||||
return authorize(getTablePermissions(table).getUser(username), table, family,
|
||||
qualifier, action);
|
||||
}
|
||||
|
@ -380,6 +381,7 @@ public class TableAuthManager {
|
|||
if (authorizeGroup(groupName, action)) {
|
||||
return true;
|
||||
}
|
||||
if (table == null) table = AccessControlLists.ACL_TABLE_NAME;
|
||||
return authorize(getTablePermissions(table).getGroup(groupName), table, family, action);
|
||||
}
|
||||
|
||||
|
|
|
@ -33,11 +33,11 @@ import org.apache.hadoop.conf.Configuration;
|
|||
import org.apache.hadoop.hbase.Coprocessor;
|
||||
import org.apache.hadoop.hbase.HBaseTestingUtility;
|
||||
import org.apache.hadoop.hbase.HColumnDescriptor;
|
||||
import org.apache.hadoop.hbase.HConstants;
|
||||
import org.apache.hadoop.hbase.HRegionInfo;
|
||||
import org.apache.hadoop.hbase.HTableDescriptor;
|
||||
import org.apache.hadoop.hbase.LargeTests;
|
||||
import org.apache.hadoop.hbase.ServerName;
|
||||
import org.apache.hadoop.hbase.UnknownRowLockException;
|
||||
import org.apache.hadoop.hbase.client.Append;
|
||||
import org.apache.hadoop.hbase.client.Delete;
|
||||
import org.apache.hadoop.hbase.client.Get;
|
||||
|
@ -1161,6 +1161,19 @@ public class TestAccessController {
|
|||
admin.deleteTable(tableName);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGlobalPermissionList() throws Exception {
|
||||
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
|
||||
AccessControlService.BlockingInterface protocol =
|
||||
AccessControlService.newBlockingStub(service);
|
||||
List<UserPermission> perms = ProtobufUtil.getUserPermissions(protocol, null);
|
||||
UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
|
||||
AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
|
||||
assertTrue("Only user admin has permission on table _acl_ per setup",
|
||||
perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
|
||||
}
|
||||
|
||||
/** global operations */
|
||||
private void verifyGlobal(PrivilegedExceptionAction<?> action) throws Exception {
|
||||
verifyAllowed(action, SUPERUSER);
|
||||
|
|
Loading…
Reference in New Issue