HBASE-26228 updateRSGroupConfig operation should be authorized by AccessController (#3633)

Signed-off-by: Duo Zhang <zhangduo@apache.org> Signed-off-by: Baiqiang Zhao <zhaobaiqiang@apache.org>
2021-09-07 19:47:26 +05:30 · 2021-09-07 19:47:26 +05:30 · b7c6a0b637
parent afbdd4115b
commit b7c6a0b637
3 changed files with 33 additions and 0 deletions
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@ -2617,4 +2617,11 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
    accessChecker.requirePermission(getActiveUser(ctx), "renameRSGroup",
      null, Permission.Action.ADMIN);
  }
+
+  @Override
+  public void preUpdateRSGroupConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+    final String groupName, final Map<String, String> configuration) throws IOException {
+    accessChecker
+      .requirePermission(getActiveUser(ctx), "updateRSGroupConfig", null, Permission.Action.ADMIN);
+  }
 }
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java
@ -342,6 +342,8 @@ public abstract class TestRSGroupsBase extends AbstractTestUpdateConfiguration {
    boolean postGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
    boolean preRenameRSGroup = false;
    boolean postRenameRSGroup = false;
+    boolean preUpdateRSGroupConfig = false;
+    boolean postUpdateRSGroupConfig = false;

    public void resetFlags() {
      preBalanceRSGroupCalled = false;
@ -374,6 +376,8 @@ public abstract class TestRSGroupsBase extends AbstractTestUpdateConfiguration {
      postGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
      preRenameRSGroup = false;
      postRenameRSGroup = false;
+      preUpdateRSGroupConfig = false;
+      postUpdateRSGroupConfig = false;
    }

    @Override
@ -548,5 +552,17 @@ public abstract class TestRSGroupsBase extends AbstractTestUpdateConfiguration {
      String newName) throws IOException {
      postRenameRSGroup = true;
    }
+
+    @Override
+    public void preUpdateRSGroupConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+      final String groupName, final Map<String, String> configuration) throws IOException {
+      preUpdateRSGroupConfig = true;
+    }
+
+    @Override
+    public void postUpdateRSGroupConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,
+      final String groupName, final Map<String, String> configuration) throws IOException {
+      postUpdateRSGroupConfig = true;
+    }
  }
 }
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
@ -333,6 +333,16 @@ public class TestRSGroupsWithACL extends SecureTestUtil {
    validateAdminPermissions(action);
  }

+  @Test
+  public void testUpdateRSGroupConfig() throws Exception {
+    AccessTestAction action = () -> {
+      checkPermission("updateRSGroupConfig");
+      return null;
+    };
+
+    validateAdminPermissions(action);
+  }
+
  private void validateAdminPermissions(AccessTestAction action) throws Exception {
    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,