Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-13294

Fix the critical ancient loopholes in security testing infrastructure.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.0.1, 1.1.0, 0.98.12, 2.0.0
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Unfortunately, the "verifyDenied" method doesn't fail when action parameter returns null. The relevant code snippet

      try {
              Object obj = user.runAs(action);
              if (requireException) {
                fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
              }
              if (obj != null && obj instanceof List<?>) {
                List<?> results = (List<?>) obj;
                if (results != null && !results.isEmpty()) {
                  fail("Unexpected results for user '" + user.getShortName() + "'");
                }
              }
            }
      

      As you can see, when obj is null, it returns silently.

      Fixing this issue has uncovered another major bug. While constructing actions, we're using TEST_UTIL.getConnection(), which replaces the "doAs" user with the user who initiated the connection. I really am grateful to Matteo Bertozzi without whom debugging this would have been a nightmare.

      Now, fixing these two issues have uncovered more issues in our tests . The main one is we're allowing the table owner to truncate table in code. But, in test, we're not allowing him. We should either remove the code that allows owner or document that the table owner can truncate table.

      The other minor issues include granting permissions to namespace, but checking whether user was able to access tables inside other namespace.

      That's it, folks!

        Attachments

        1. HBASE-13294_v2.patch
          40 kB
          Srikanth Srungarapu
        2. HBASE-13294_v3.patch
          65 kB
          Srikanth Srungarapu
        3. HBASE-13294_v3.patch
          56 kB
          Srikanth Srungarapu
        4. HBASE-13294_v4.patch
          65 kB
          Srikanth Srungarapu
        5. HBASE-13294_v5.patch
          65 kB
          Srikanth Srungarapu
        6. HBASE-13294_v6.patch
          72 kB
          Srikanth Srungarapu
        7. HBASE-13294_v6.patch
          72 kB
          Srikanth Srungarapu
        8. HBASE-13294.patch
          27 kB
          Srikanth Srungarapu
        9. HBASE-13294-0.98.patch
          16 kB
          Srikanth Srungarapu
        10. HBASE-13294-0.98.patch
          16 kB
          Srikanth Srungarapu
        11. HBASE-13294-branch-1.0.patch
          94 kB
          Andrew Kyle Purtell
        12. HBASE-13294-branch-1.patch
          64 kB
          Srikanth Srungarapu
        13. HBASE-13294-branch-1.patch
          62 kB
          Srikanth Srungarapu

          Issue Links

          There are no Sub-Tasks for this issue.

            Activity

              People

              • Assignee:
                srikanth235 Srikanth Srungarapu
                Reporter:
                srikanth235 Srikanth Srungarapu
              • Votes:
                0 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: