diff --git a/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/AccessControlProtos.java b/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/AccessControlProtos.java index b246e53cb9f..49cccfc6830 100644 --- a/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/AccessControlProtos.java +++ b/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/AccessControlProtos.java @@ -4073,7 +4073,7 @@ public final class AccessControlProtos { public interface UserPermissionsRequestOrBuilder extends com.google.protobuf.MessageOrBuilder { - // required bytes table = 1; + // optional bytes table = 1; boolean hasTable(); com.google.protobuf.ByteString getTable(); } @@ -4106,7 +4106,7 @@ public final class AccessControlProtos { } private int bitField0_; - // required bytes table = 1; + // optional bytes table = 1; public static final int TABLE_FIELD_NUMBER = 1; private com.google.protobuf.ByteString table_; public boolean hasTable() { @@ -4124,10 +4124,6 @@ public final class AccessControlProtos { byte isInitialized = memoizedIsInitialized; if (isInitialized != -1) return isInitialized == 1; - if (!hasTable()) { - memoizedIsInitialized = 0; - return false; - } memoizedIsInitialized = 1; return true; } @@ -4376,10 +4372,6 @@ public final class AccessControlProtos { } public final boolean isInitialized() { - if (!hasTable()) { - - return false; - } return true; } @@ -4417,7 +4409,7 @@ public final class AccessControlProtos { private int bitField0_; - // required bytes table = 1; + // optional bytes table = 1; private com.google.protobuf.ByteString table_ = com.google.protobuf.ByteString.EMPTY; public boolean hasTable() { return ((bitField0_ & 0x00000001) == 0x00000001); @@ -6425,7 +6417,7 @@ public final class AccessControlProtos { "\017.UserPermission\"\017\n\rGrantResponse\"4\n\rRev" + "okeRequest\022#\n\npermission\030\001 \002(\0132\017.UserPer" + "mission\"\020\n\016RevokeResponse\"\'\n\026UserPermiss" + - "ionsRequest\022\r\n\005table\030\001 \002(\014\">\n\027UserPermis" + + "ionsRequest\022\r\n\005table\030\001 \001(\014\">\n\027UserPermis" + "sionsResponse\022#\n\npermission\030\001 \003(\0132\017.User" + "Permission\":\n\027CheckPermissionsRequest\022\037\n" + "\npermission\030\001 \003(\0132\013.Permission\"\032\n\030CheckP" + diff --git a/hbase-protocol/src/main/protobuf/AccessControl.proto b/hbase-protocol/src/main/protobuf/AccessControl.proto index ea772827b52..444109230a5 100644 --- a/hbase-protocol/src/main/protobuf/AccessControl.proto +++ b/hbase-protocol/src/main/protobuf/AccessControl.proto @@ -70,7 +70,7 @@ message RevokeResponse { message UserPermissionsRequest { - required bytes table = 1; + optional bytes table = 1; } message UserPermissionsResponse { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 92fc38c7fe1..10413a02de7 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -1142,8 +1142,11 @@ public class AccessController extends BaseRegionObserver public void getUserPermissions(RpcController controller, AccessControlProtos.UserPermissionsRequest request, RpcCallback done) { - byte[] table = request.getTable().toByteArray(); AccessControlProtos.UserPermissionsResponse response = null; + byte[] table = null; + if (request.hasTable()) { + table = request.getTable().toByteArray(); + } try { // only allowed to be called on _acl_ region if (aclRegion) { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java index 86675abb248..0252f46e455 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java @@ -352,6 +352,7 @@ public class TableAuthManager { if (authorizeUser(username, action)) { return true; } + if (table == null) table = AccessControlLists.ACL_TABLE_NAME; return authorize(getTablePermissions(table).getUser(username), table, family, qualifier, action); } @@ -380,6 +381,7 @@ public class TableAuthManager { if (authorizeGroup(groupName, action)) { return true; } + if (table == null) table = AccessControlLists.ACL_TABLE_NAME; return authorize(getTablePermissions(table).getGroup(groupName), table, family, action); } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index c662d55a6de..1d3654f913a 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -33,11 +33,11 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.Coprocessor; import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HColumnDescriptor; +import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.HRegionInfo; import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.LargeTests; import org.apache.hadoop.hbase.ServerName; -import org.apache.hadoop.hbase.UnknownRowLockException; import org.apache.hadoop.hbase.client.Append; import org.apache.hadoop.hbase.client.Delete; import org.apache.hadoop.hbase.client.Get; @@ -1161,6 +1161,19 @@ public class TestAccessController { admin.deleteTable(tableName); } + @Test + public void testGlobalPermissionList() throws Exception { + HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + List perms = ProtobufUtil.getUserPermissions(protocol, null); + UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), + AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")); + assertTrue("Only user admin has permission on table _acl_ per setup", + perms.size() == 1 && hasFoundUserPermission(adminPerm, perms)); + } + /** global operations */ private void verifyGlobal(PrivilegedExceptionAction action) throws Exception { verifyAllowed(action, SUPERUSER);