HBASE-6253. Do not allow user to disable or drop ACL table (Gopinathan)

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1358029 13f79535-47bb-0310-9956-ffa450edef68

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java

@@ -664,6 +664,10 @@ public class AccessController extends BaseRegionObserver
   @Override
   public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName)
       throws IOException {
+    if (Bytes.equals(tableName, AccessControlLists.ACL_GLOBAL_NAME)) {
+      throw new AccessDeniedException("Not allowed to disable "
+          + AccessControlLists.ACL_TABLE_NAME_STR + " table.");
+    }
     requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE);
   }
 

hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java

@@ -306,8 +306,19 @@ public class TestAccessController {
       }
     };
 
+    PrivilegedExceptionAction disableAclTable = new PrivilegedExceptionAction() {
+      public Object run() throws Exception {
+        ACCESS_CONTROLLER.preDisableTable(ObserverContext.createAndPrepare(CP_ENV, null),
+            AccessControlLists.ACL_TABLE_NAME);
+        return null;
+      }
+    };
+
     verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
     verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE);
+    
+    // No user should be allowed to disable _acl_ table
+    verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO);
   }
 
   @Test