HBASE-26228 updateRSGroupConfig operation should be authorized by AccessController (#3633)
Signed-off-by: Duo Zhang <zhangduo@apache.org> Signed-off-by: Baiqiang Zhao <zhaobaiqiang@apache.org>
This commit is contained in:
parent
afbdd4115b
commit
b7c6a0b637
|
@ -2617,4 +2617,11 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
|||
accessChecker.requirePermission(getActiveUser(ctx), "renameRSGroup",
|
||||
null, Permission.Action.ADMIN);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void preUpdateRSGroupConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||
final String groupName, final Map<String, String> configuration) throws IOException {
|
||||
accessChecker
|
||||
.requirePermission(getActiveUser(ctx), "updateRSGroupConfig", null, Permission.Action.ADMIN);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -342,6 +342,8 @@ public abstract class TestRSGroupsBase extends AbstractTestUpdateConfiguration {
|
|||
boolean postGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
|
||||
boolean preRenameRSGroup = false;
|
||||
boolean postRenameRSGroup = false;
|
||||
boolean preUpdateRSGroupConfig = false;
|
||||
boolean postUpdateRSGroupConfig = false;
|
||||
|
||||
public void resetFlags() {
|
||||
preBalanceRSGroupCalled = false;
|
||||
|
@ -374,6 +376,8 @@ public abstract class TestRSGroupsBase extends AbstractTestUpdateConfiguration {
|
|||
postGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
|
||||
preRenameRSGroup = false;
|
||||
postRenameRSGroup = false;
|
||||
preUpdateRSGroupConfig = false;
|
||||
postUpdateRSGroupConfig = false;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -548,5 +552,17 @@ public abstract class TestRSGroupsBase extends AbstractTestUpdateConfiguration {
|
|||
String newName) throws IOException {
|
||||
postRenameRSGroup = true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void preUpdateRSGroupConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||
final String groupName, final Map<String, String> configuration) throws IOException {
|
||||
preUpdateRSGroupConfig = true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void postUpdateRSGroupConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||
final String groupName, final Map<String, String> configuration) throws IOException {
|
||||
postUpdateRSGroupConfig = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -333,6 +333,16 @@ public class TestRSGroupsWithACL extends SecureTestUtil {
|
|||
validateAdminPermissions(action);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUpdateRSGroupConfig() throws Exception {
|
||||
AccessTestAction action = () -> {
|
||||
checkPermission("updateRSGroupConfig");
|
||||
return null;
|
||||
};
|
||||
|
||||
validateAdminPermissions(action);
|
||||
}
|
||||
|
||||
private void validateAdminPermissions(AccessTestAction action) throws Exception {
|
||||
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
|
||||
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
||||
|
|
Loading…
Reference in New Issue