From 4fa7db7304f7766ba39bb280585b0836fd83bac1 Mon Sep 17 00:00:00 2001
From: anoopsamjohn <anoopsamjohn@unknown>
Date: Sat, 29 Mar 2014 11:11:20 +0000
Subject: [PATCH] HBASE-10860 Insufficient AccessController covering permission
 check.(Anoop)

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1582987 13f79535-47bb-0310-9956-ffa450edef68
---
 .../hbase/security/access/AccessController.java   | 12 ++++++++++--
 .../security/access/TestAccessController.java     | 15 +++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 6851c7d6758..954d4c4d1f0 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -38,6 +38,7 @@ import org.apache.hadoop.hbase.CellUtil;
 import org.apache.hadoop.hbase.CoprocessorEnvironment;
 import org.apache.hadoop.hbase.DoNotRetryIOException;
 import org.apache.hadoop.hbase.HConstants;
+import org.apache.hadoop.hbase.KeyValue.Type;
 import org.apache.hadoop.hbase.TableName;
 import org.apache.hadoop.hbase.HColumnDescriptor;
 import org.apache.hadoop.hbase.HRegionInfo;
@@ -526,8 +527,15 @@ public class AccessController extends BaseRegionObserver
           if (list == null || list.isEmpty()) {
             get.addFamily(col);
           } else {
-            for (Cell cell: list) {
-              get.addColumn(col, CellUtil.cloneQualifier(cell));
+            // In case of family delete, a Cell will be added into the list with Qualifier as null.
+            for (Cell cell : list) {
+              if (cell.getQualifierLength() == 0
+                  && (cell.getTypeByte() == Type.DeleteFamily.getCode() 
+                  || cell.getTypeByte() == Type.DeleteFamilyVersion.getCode())) {
+                get.addFamily(col);
+              } else {
+                get.addColumn(col, CellUtil.cloneQualifier(cell));
+              }
             }
           }
         } else {
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index efa020394ae..fa21b4c85da 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -1315,6 +1315,21 @@ public class TestAccessController extends SecureTestUtil {
         return null;
       }
     });
+    // user1 should be allowed to delete the cf. (All data under cf for a row)
+    user1.runAs(new PrivilegedExceptionAction<Void>() {
+      @Override
+      public Void run() throws Exception {
+        HTable t = new HTable(conf, TEST_TABLE.getTableName());
+        try {
+          Delete d = new Delete(TEST_ROW2);
+          d.deleteFamily(TEST_FAMILY);
+          t.delete(d);
+        } finally {
+          t.close();
+        }
+        return null;
+      }
+    });
   }
 
   @Test