HBASE-25432:add security checks for setTableStateInMeta and fixMeta (#2809)

Signed-off-by: Duo Zhang <zhangduo@apache.org>
Signed-off-by: Viraj Jasani <vjasani@apache.org>
This commit is contained in:
lujiefsi 2020-12-29 02:57:30 +08:00 committed by GitHub
parent 140c7f6ea0
commit d963342f8a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 0 deletions

View File

@ -2527,6 +2527,7 @@ public class MasterRpcServices extends RSRpcServices implements
@Override
public GetTableStateResponse setTableStateInMeta(RpcController controller,
SetTableStateInMetaRequest request) throws ServiceException {
rpcPreCheck("setTableStateInMeta");
TableName tn = ProtobufUtil.toTableName(request.getTableName());
try {
TableState prevState = this.master.getTableStateManager().getTableState(tn);
@ -2732,6 +2733,7 @@ public class MasterRpcServices extends RSRpcServices implements
@Override
public FixMetaResponse fixMeta(RpcController controller, FixMetaRequest request)
throws ServiceException {
rpcPreCheck("fixMeta");
try {
MetaFixer mf = new MetaFixer(this.master);
mf.fix();

View File

@ -53,6 +53,7 @@ import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.MasterObserver;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.io.hfile.HFile;
import org.apache.hadoop.hbase.ipc.RemoteWithExtrasException;
import org.apache.hadoop.hbase.regionserver.HRegion;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
@ -249,6 +250,9 @@ public class SecureTestUtil {
// is buried in the stack trace
Throwable ex = e;
do {
if (ex instanceof RemoteWithExtrasException) {
ex = ((RemoteWithExtrasException) ex).unwrapRemoteException();
}
if (ex instanceof AccessDeniedException) {
isAccessDeniedException = true;
break;

View File

@ -59,6 +59,7 @@ import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.Hbck;
import org.apache.hadoop.hbase.client.Increment;
import org.apache.hadoop.hbase.client.MasterSwitchType;
import org.apache.hadoop.hbase.client.Put;
@ -72,6 +73,7 @@ import org.apache.hadoop.hbase.client.SnapshotDescription;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.client.TableDescriptor;
import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
import org.apache.hadoop.hbase.client.TableState;
import org.apache.hadoop.hbase.client.security.SecurityCapability;
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
@ -379,6 +381,34 @@ public class TestAccessController extends SecureTestUtil {
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
public void testUnauthorizedSetTableStateInMeta() throws Exception {
AccessTestAction action = () -> {
try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
Hbck hbck = conn.getHbck()){
hbck.setTableStateInMeta(new TableState(TEST_TABLE, TableState.State.DISABLED));
}
return null;
};
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
public void testUnauthorizedFixMeta() throws Exception {
AccessTestAction action = () -> {
try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
Hbck hbck = conn.getHbck()){
hbck.fixMeta();
}
return null;
};
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
public void testSecurityCapabilities() throws Exception {
List<SecurityCapability> capabilities = TEST_UTIL.getConnection().getAdmin()