HBASE-25432:add security checks for setTableStateInMeta and fixMeta (#2809)
Signed-off-by: Duo Zhang <zhangduo@apache.org> Signed-off-by: Viraj Jasani <vjasani@apache.org>
This commit is contained in:
parent
140c7f6ea0
commit
d963342f8a
|
@ -2527,6 +2527,7 @@ public class MasterRpcServices extends RSRpcServices implements
|
|||
@Override
|
||||
public GetTableStateResponse setTableStateInMeta(RpcController controller,
|
||||
SetTableStateInMetaRequest request) throws ServiceException {
|
||||
rpcPreCheck("setTableStateInMeta");
|
||||
TableName tn = ProtobufUtil.toTableName(request.getTableName());
|
||||
try {
|
||||
TableState prevState = this.master.getTableStateManager().getTableState(tn);
|
||||
|
@ -2732,6 +2733,7 @@ public class MasterRpcServices extends RSRpcServices implements
|
|||
@Override
|
||||
public FixMetaResponse fixMeta(RpcController controller, FixMetaRequest request)
|
||||
throws ServiceException {
|
||||
rpcPreCheck("fixMeta");
|
||||
try {
|
||||
MetaFixer mf = new MetaFixer(this.master);
|
||||
mf.fix();
|
||||
|
|
|
@ -53,6 +53,7 @@ import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
|
|||
import org.apache.hadoop.hbase.coprocessor.MasterObserver;
|
||||
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
|
||||
import org.apache.hadoop.hbase.io.hfile.HFile;
|
||||
import org.apache.hadoop.hbase.ipc.RemoteWithExtrasException;
|
||||
import org.apache.hadoop.hbase.regionserver.HRegion;
|
||||
import org.apache.hadoop.hbase.security.AccessDeniedException;
|
||||
import org.apache.hadoop.hbase.security.User;
|
||||
|
@ -249,6 +250,9 @@ public class SecureTestUtil {
|
|||
// is buried in the stack trace
|
||||
Throwable ex = e;
|
||||
do {
|
||||
if (ex instanceof RemoteWithExtrasException) {
|
||||
ex = ((RemoteWithExtrasException) ex).unwrapRemoteException();
|
||||
}
|
||||
if (ex instanceof AccessDeniedException) {
|
||||
isAccessDeniedException = true;
|
||||
break;
|
||||
|
|
|
@ -59,6 +59,7 @@ import org.apache.hadoop.hbase.client.Connection;
|
|||
import org.apache.hadoop.hbase.client.ConnectionFactory;
|
||||
import org.apache.hadoop.hbase.client.Delete;
|
||||
import org.apache.hadoop.hbase.client.Get;
|
||||
import org.apache.hadoop.hbase.client.Hbck;
|
||||
import org.apache.hadoop.hbase.client.Increment;
|
||||
import org.apache.hadoop.hbase.client.MasterSwitchType;
|
||||
import org.apache.hadoop.hbase.client.Put;
|
||||
|
@ -72,6 +73,7 @@ import org.apache.hadoop.hbase.client.SnapshotDescription;
|
|||
import org.apache.hadoop.hbase.client.Table;
|
||||
import org.apache.hadoop.hbase.client.TableDescriptor;
|
||||
import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
|
||||
import org.apache.hadoop.hbase.client.TableState;
|
||||
import org.apache.hadoop.hbase.client.security.SecurityCapability;
|
||||
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
|
||||
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
|
||||
|
@ -379,6 +381,34 @@ public class TestAccessController extends SecureTestUtil {
|
|||
USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUnauthorizedSetTableStateInMeta() throws Exception {
|
||||
AccessTestAction action = () -> {
|
||||
try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
|
||||
Hbck hbck = conn.getHbck()){
|
||||
hbck.setTableStateInMeta(new TableState(TEST_TABLE, TableState.State.DISABLED));
|
||||
}
|
||||
return null;
|
||||
};
|
||||
|
||||
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
||||
USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUnauthorizedFixMeta() throws Exception {
|
||||
AccessTestAction action = () -> {
|
||||
try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
|
||||
Hbck hbck = conn.getHbck()){
|
||||
hbck.fixMeta();
|
||||
}
|
||||
return null;
|
||||
};
|
||||
|
||||
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
||||
USER_GROUP_WRITE, USER_GROUP_CREATE);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSecurityCapabilities() throws Exception {
|
||||
List<SecurityCapability> capabilities = TEST_UTIL.getConnection().getAdmin()
|
||||
|
|
Loading…
Reference in New Issue