HBASE-25432:add security checks for setTableStateInMeta and fixMeta (#2809)

Signed-off-by: Duo Zhang <zhangduo@apache.org> Signed-off-by: Viraj Jasani <vjasani@apache.org>
2020-12-29 02:57:30 +08:00 · 2020-12-29 02:57:30 +08:00 · d963342f8a
parent 140c7f6ea0
commit d963342f8a
3 changed files with 36 additions and 0 deletions
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
@ -2527,6 +2527,7 @@ public class MasterRpcServices extends RSRpcServices implements
  @Override
  public GetTableStateResponse setTableStateInMeta(RpcController controller,
      SetTableStateInMetaRequest request) throws ServiceException {
+    rpcPreCheck("setTableStateInMeta");
    TableName tn = ProtobufUtil.toTableName(request.getTableName());
    try {
      TableState prevState = this.master.getTableStateManager().getTableState(tn);
@ -2732,6 +2733,7 @@ public class MasterRpcServices extends RSRpcServices implements
  @Override
  public FixMetaResponse fixMeta(RpcController controller, FixMetaRequest request)
      throws ServiceException {
+    rpcPreCheck("fixMeta");
    try {
      MetaFixer mf = new MetaFixer(this.master);
      mf.fix();
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
@ -53,6 +53,7 @@ import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
 import org.apache.hadoop.hbase.coprocessor.MasterObserver;
 import org.apache.hadoop.hbase.coprocessor.ObserverContext;
 import org.apache.hadoop.hbase.io.hfile.HFile;
+import org.apache.hadoop.hbase.ipc.RemoteWithExtrasException;
 import org.apache.hadoop.hbase.regionserver.HRegion;
 import org.apache.hadoop.hbase.security.AccessDeniedException;
 import org.apache.hadoop.hbase.security.User;
@ -249,6 +250,9 @@ public class SecureTestUtil {
          // is buried in the stack trace
          Throwable ex = e;
          do {
+            if (ex instanceof RemoteWithExtrasException) {
+              ex = ((RemoteWithExtrasException) ex).unwrapRemoteException();
+            }
            if (ex instanceof AccessDeniedException) {
              isAccessDeniedException = true;
              break;
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@ -59,6 +59,7 @@ import org.apache.hadoop.hbase.client.Connection;
 import org.apache.hadoop.hbase.client.ConnectionFactory;
 import org.apache.hadoop.hbase.client.Delete;
 import org.apache.hadoop.hbase.client.Get;
+import org.apache.hadoop.hbase.client.Hbck;
 import org.apache.hadoop.hbase.client.Increment;
 import org.apache.hadoop.hbase.client.MasterSwitchType;
 import org.apache.hadoop.hbase.client.Put;
@ -72,6 +73,7 @@ import org.apache.hadoop.hbase.client.SnapshotDescription;
 import org.apache.hadoop.hbase.client.Table;
 import org.apache.hadoop.hbase.client.TableDescriptor;
 import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
+import org.apache.hadoop.hbase.client.TableState;
 import org.apache.hadoop.hbase.client.security.SecurityCapability;
 import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
 import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
@ -379,6 +381,34 @@ public class TestAccessController extends SecureTestUtil {
        USER_GROUP_WRITE, USER_GROUP_CREATE);
  }

+  @Test
+  public void testUnauthorizedSetTableStateInMeta() throws Exception {
+    AccessTestAction action = () -> {
+      try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+        Hbck hbck = conn.getHbck()){
+        hbck.setTableStateInMeta(new TableState(TEST_TABLE, TableState.State.DISABLED));
+      }
+      return null;
+    };
+
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+        USER_GROUP_WRITE, USER_GROUP_CREATE);
+  }
+
+  @Test
+  public void testUnauthorizedFixMeta() throws Exception {
+    AccessTestAction action = () -> {
+      try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+        Hbck hbck = conn.getHbck()){
+        hbck.fixMeta();
+      }
+      return null;
+    };
+
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+        USER_GROUP_WRITE, USER_GROUP_CREATE);
+  }
+
  @Test
  public void testSecurityCapabilities() throws Exception {
    List<SecurityCapability> capabilities = TEST_UTIL.getConnection().getAdmin()