Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-12348 preModifyColumn and preDeleteColumn in AC denies user to perform its operation though it has required rights 

Signed-off-by: Andrew Purtell <apurtell@apache.org>
This commit is contained in:
Ashish Singhi 2014-12-15 17:43:19 -08:00 committed by Andrew Purtell
parent 871444cb0a
commit e4ad5581d9
2 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
View File

@ -1026,13 +1026,14 @@ public class AccessController extends BaseMasterAndRegionObserver
@Override @Override
public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,
HColumnDescriptor descriptor) throws IOException { HColumnDescriptor descriptor) throws IOException {
requirePermission("modifyColumn", tableName, null, null, Action.ADMIN, Action.CREATE); requirePermission("modifyColumn", tableName, descriptor.getName(), null, Action.ADMIN,
Action.CREATE);
} }
@Override @Override
public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName, public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,
byte[] col) throws IOException { byte[] col) throws IOException {
requirePermission("deleteColumn", tableName, null, null, Action.ADMIN, Action.CREATE); requirePermission("deleteColumn", tableName, col, null, Action.ADMIN, Action.CREATE);
} }
@Override @Override

19
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -152,6 +152,8 @@ public class TestAccessController extends SecureTestUtil {
private static User USER_CREATE; private static User USER_CREATE;
// user with no permissions // user with no permissions
private static User USER_NONE; private static User USER_NONE;
// user with admin rights on the column family
private static User USER_ADMIN_CF;
// TODO: convert this test to cover the full matrix in // TODO: convert this test to cover the full matrix in
// https://hbase.apache.org/book/appendix_acl_matrix.html // https://hbase.apache.org/book/appendix_acl_matrix.html
@ -210,6 +212,7 @@ public class TestAccessController extends SecureTestUtil {
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]);
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
} }
@AfterClass @AfterClass
@ -258,9 +261,13 @@ public class TestAccessController extends SecureTestUtil {
TEST_TABLE.getTableName(), TEST_FAMILY, null, TEST_TABLE.getTableName(), TEST_FAMILY, null,
Permission.Action.READ); Permission.Action.READ);
assertEquals(4, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(),
TEST_TABLE.getTableName(), TEST_FAMILY,
null, Permission.Action.ADMIN);
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
try { try {
assertEquals(4, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size()); assertEquals(5, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size());
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("error during call of AccessControlClient.getUserPermissions. ", e); LOG.error("error during call of AccessControlClient.getUserPermissions. ", e);
} }
@ -375,7 +382,7 @@ public class TestAccessController extends SecureTestUtil {
} }
}; };
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
verifyDenied(action, USER_RW, USER_RO, USER_NONE); verifyDenied(action, USER_RW, USER_RO, USER_NONE);
} }
@ -390,7 +397,7 @@ public class TestAccessController extends SecureTestUtil {
} }
}; };
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
verifyDenied(action, USER_RW, USER_RO, USER_NONE); verifyDenied(action, USER_RW, USER_RO, USER_NONE);
} }
@ -2415,8 +2422,8 @@ public class TestAccessController extends SecureTestUtil {
null, Action.ADMIN); null, Action.ADMIN);
List<UserPermission> perms = testUserPerms.runAs(getPrivilegedAction(regex)); List<UserPermission> perms = testUserPerms.runAs(getPrivilegedAction(regex));
assertNotNull(perms); assertNotNull(perms);
// USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms has row each. // USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has row each.
assertEquals(5, perms.size()); assertEquals(6, perms.size());
} }
@Test @Test