HBASE-7373 table should not be required in AccessControlService

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1424604 13f79535-47bb-0310-9956-ffa450edef68

hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/AccessControlProtos.java

@@ -4073,7 +4073,7 @@ public final class AccessControlProtos {
   public interface UserPermissionsRequestOrBuilder
       extends com.google.protobuf.MessageOrBuilder {
     
-    // required bytes table = 1;
+    // optional bytes table = 1;
     boolean hasTable();
     com.google.protobuf.ByteString getTable();
   }
@@ -4106,7 +4106,7 @@ public final class AccessControlProtos {
     }
     
     private int bitField0_;
-    // required bytes table = 1;
+    // optional bytes table = 1;
     public static final int TABLE_FIELD_NUMBER = 1;
     private com.google.protobuf.ByteString table_;
     public boolean hasTable() {
@@ -4124,10 +4124,6 @@ public final class AccessControlProtos {
       byte isInitialized = memoizedIsInitialized;
       if (isInitialized != -1) return isInitialized == 1;
       
-      if (!hasTable()) {
-        memoizedIsInitialized = 0;
-        return false;
-      }
       memoizedIsInitialized = 1;
       return true;
     }
@@ -4376,10 +4372,6 @@ public final class AccessControlProtos {
       }
       
       public final boolean isInitialized() {
-        if (!hasTable()) {
-          
-          return false;
-        }
         return true;
       }
       
@@ -4417,7 +4409,7 @@ public final class AccessControlProtos {
       
       private int bitField0_;
       
-      // required bytes table = 1;
+      // optional bytes table = 1;
       private com.google.protobuf.ByteString table_ = com.google.protobuf.ByteString.EMPTY;
       public boolean hasTable() {
         return ((bitField0_ & 0x00000001) == 0x00000001);
@@ -6425,7 +6417,7 @@ public final class AccessControlProtos {
       "\017.UserPermission\"\017\n\rGrantResponse\"4\n\rRev" +
       "okeRequest\022#\n\npermission\030\001 \002(\0132\017.UserPer" +
       "mission\"\020\n\016RevokeResponse\"\'\n\026UserPermiss" +
-      "ionsRequest\022\r\n\005table\030\001 \002(\014\">\n\027UserPermis" +
+      "ionsRequest\022\r\n\005table\030\001 \001(\014\">\n\027UserPermis" +
       "sionsResponse\022#\n\npermission\030\001 \003(\0132\017.User" +
       "Permission\":\n\027CheckPermissionsRequest\022\037\n" +
       "\npermission\030\001 \003(\0132\013.Permission\"\032\n\030CheckP" +

hbase-protocol/src/main/protobuf/AccessControl.proto

@@ -70,7 +70,7 @@ message RevokeResponse {
 
 
 message UserPermissionsRequest {
-    required bytes table = 1;
+    optional bytes table = 1;
 }
 
 message UserPermissionsResponse {

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java

@@ -1142,8 +1142,11 @@ public class AccessController extends BaseRegionObserver
   public void getUserPermissions(RpcController controller,
                                  AccessControlProtos.UserPermissionsRequest request,
                                  RpcCallback<AccessControlProtos.UserPermissionsResponse> done) {
-    byte[] table = request.getTable().toByteArray();
     AccessControlProtos.UserPermissionsResponse response = null;
+    byte[] table = null;
+    if (request.hasTable()) {
+      table = request.getTable().toByteArray();
+    }
     try {
       // only allowed to be called on _acl_ region
       if (aclRegion) {

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java

@@ -352,6 +352,7 @@ public class TableAuthManager {
     if (authorizeUser(username, action)) {
       return true;
     }
+    if (table == null) table = AccessControlLists.ACL_TABLE_NAME;
     return authorize(getTablePermissions(table).getUser(username), table, family,
         qualifier, action);
   }
@@ -380,6 +381,7 @@ public class TableAuthManager {
     if (authorizeGroup(groupName, action)) {
       return true;
     }
+    if (table == null) table = AccessControlLists.ACL_TABLE_NAME;
     return authorize(getTablePermissions(table).getGroup(groupName), table, family, action);
   }
 

hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java

@@ -33,11 +33,11 @@ import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.Coprocessor;
 import org.apache.hadoop.hbase.HBaseTestingUtility;
 import org.apache.hadoop.hbase.HColumnDescriptor;
+import org.apache.hadoop.hbase.HConstants;
 import org.apache.hadoop.hbase.HRegionInfo;
 import org.apache.hadoop.hbase.HTableDescriptor;
 import org.apache.hadoop.hbase.LargeTests;
 import org.apache.hadoop.hbase.ServerName;
-import org.apache.hadoop.hbase.UnknownRowLockException;
 import org.apache.hadoop.hbase.client.Append;
 import org.apache.hadoop.hbase.client.Delete;
 import org.apache.hadoop.hbase.client.Get;
@@ -1161,6 +1161,19 @@ public class TestAccessController {
     admin.deleteTable(tableName);
   }
 
+  @Test
+  public void testGlobalPermissionList() throws Exception {
+    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
+    AccessControlService.BlockingInterface protocol =
+      AccessControlService.newBlockingStub(service);
+    List<UserPermission> perms = ProtobufUtil.getUserPermissions(protocol, null);
+    UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
+      AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
+    assertTrue("Only user admin has permission on table _acl_ per setup",
+      perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
+  }
+
   /** global operations */
   private void verifyGlobal(PrivilegedExceptionAction<?> action) throws Exception {
     verifyAllowed(action, SUPERUSER);