HBASE-14818 user_permission does not list namespace permissions (li xiang)

This commit is contained in:
Jerry He 2016-05-21 20:06:05 -07:00
parent 0671cba65f
commit 56e4b85d06
4 changed files with 40 additions and 11 deletions

View File

@ -217,11 +217,16 @@ public class AccessControlClient {
HTableDescriptor[] htds = null;
if (tableRegex == null || tableRegex.isEmpty()) {
permList = ProtobufUtil.getUserPermissions(controller, protocol);
} else if (tableRegex.charAt(0) == '@') {
String namespace = tableRegex.substring(1);
permList = ProtobufUtil.getUserPermissions(controller, protocol,
Bytes.toBytes(namespace));
} else {
} else if (tableRegex.charAt(0) == '@') { // Namespaces
String namespaceRegex = tableRegex.substring(1);
for (NamespaceDescriptor nsds : admin.listNamespaceDescriptors()) { // Read out all namespaces
String namespace = nsds.getName();
if (namespace.matches(namespaceRegex)) { // Match the given namespace regex?
permList.addAll(ProtobufUtil.getUserPermissions(controller, protocol,
Bytes.toBytes(namespace)));
}
}
} else { // Tables
htds = admin.listTables(Pattern.compile(tableRegex), true);
for (HTableDescriptor hd : htds) {
permList.addAll(ProtobufUtil.getUserPermissions(controller, protocol,

View File

@ -2596,19 +2596,41 @@ public class TestAccessController extends SecureTestUtil {
NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
createNamespace(TEST_UTIL, desc);
grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
// Test 1: A specific namespace
getNamespacePermissionsAndVerify(namespace, 1, namespace);
// Test 2: '@.*'
getNamespacePermissionsAndVerify(".*", 1, namespace);
// Test 3: A more complex regex
getNamespacePermissionsAndVerify("^test[a-zA-Z]*", 1, namespace);
deleteNamespace(TEST_UTIL, namespace);
}
/**
* List all user permissions match the given regular expression for namespace
* and verify each of them.
* @param namespaceRegexWithoutPrefix the regualar expression for namespace, without NAMESPACE_PREFIX
* @param expectedAmount the expected amount of user permissions returned
* @param expectedNamespace the expected namespace of each user permission returned
* @throws HBaseException in the case of any HBase exception when accessing hbase:acl table
*/
private void getNamespacePermissionsAndVerify(String namespaceRegexWithoutPrefix,
int expectedAmount, String expectedNamespace) throws HBaseException {
try {
List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions(
systemUserConnection, AccessControlLists.toNamespaceEntry(namespace));
systemUserConnection, AccessControlLists.toNamespaceEntry(namespaceRegexWithoutPrefix));
assertTrue(namespacePermissions != null);
assertTrue(namespacePermissions.size() == 1);
assertEquals(expectedAmount, namespacePermissions.size());
for (UserPermission namespacePermission : namespacePermissions) {
assertFalse(namespacePermission.isGlobal()); // Verify it is not a global user permission
assertEquals(namespace, namespacePermission.getNamespace()); // Verify namespace is set
assertEquals(expectedNamespace, namespacePermission.getNamespace()); // Verify namespace is set
}
} catch (Throwable thw) {
throw new HBaseException(thw);
}
deleteNamespace(TEST_UTIL, namespace);
}
@Test (timeout=180000)

View File

@ -137,9 +137,9 @@ module Hbase
all_perms.each do |value|
user_name = String.from_java_bytes(value.getUser)
if (table_regex != nil && isNamespace?(table_regex))
namespace = table_regex[1...table_regex.length]
namespace = value.getNamespace()
else
namespace = (value.getTableName != nil) ? value.getTableName.getNamespaceAsString() : ''
namespace = (value.getTableName != nil) ? value.getTableName.getNamespaceAsString() : value.getNamespace()
end
table = (value.getTableName != nil) ? value.getTableName.getNameAsString() : ''
family = (value.getFamily != nil) ?

View File

@ -30,6 +30,8 @@ For example:
hbase> user_permission
hbase> user_permission '@ns1'
hbase> user_permission '@.*'
hbase> user_permission '@^[a-c].*'
hbase> user_permission 'table1'
hbase> user_permission 'namespace1:table1'
hbase> user_permission '.*'