Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-13294

Fix the critical ancient loopholes in security testing infrastructure.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 1.0.1, 1.1.0, 0.98.12, 2.0.0
    • None
    • None
    • Reviewed

    Description

      Unfortunately, the "verifyDenied" method doesn't fail when action parameter returns null. The relevant code snippet

      try {
              Object obj = user.runAs(action);
              if (requireException) {
                fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
              }
              if (obj != null && obj instanceof List<?>) {
                List<?> results = (List<?>) obj;
                if (results != null && !results.isEmpty()) {
                  fail("Unexpected results for user '" + user.getShortName() + "'");
                }
              }
            }
      

      As you can see, when obj is null, it returns silently.

      Fixing this issue has uncovered another major bug. While constructing actions, we're using TEST_UTIL.getConnection(), which replaces the "doAs" user with the user who initiated the connection. I really am grateful to mbertozzi without whom debugging this would have been a nightmare.

      Now, fixing these two issues have uncovered more issues in our tests . The main one is we're allowing the table owner to truncate table in code. But, in test, we're not allowing him. We should either remove the code that allows owner or document that the table owner can truncate table.

      The other minor issues include granting permissions to namespace, but checking whether user was able to access tables inside other namespace.

      That's it, folks!

      Attachments

        1. HBASE-13294_v2.patch
          40 kB
          Srikanth Srungarapu
        2. HBASE-13294_v3.patch
          65 kB
          Srikanth Srungarapu
        3. HBASE-13294_v3.patch
          56 kB
          Srikanth Srungarapu
        4. HBASE-13294_v4.patch
          65 kB
          Srikanth Srungarapu
        5. HBASE-13294_v5.patch
          65 kB
          Srikanth Srungarapu
        6. HBASE-13294_v6.patch
          72 kB
          Srikanth Srungarapu
        7. HBASE-13294_v6.patch
          72 kB
          Srikanth Srungarapu
        8. HBASE-13294.patch
          27 kB
          Srikanth Srungarapu
        9. HBASE-13294-0.98.patch
          16 kB
          Srikanth Srungarapu
        10. HBASE-13294-0.98.patch
          16 kB
          Srikanth Srungarapu
        11. HBASE-13294-branch-1.0.patch
          94 kB
          Andrew Kyle Purtell
        12. HBASE-13294-branch-1.patch
          64 kB
          Srikanth Srungarapu
        13. HBASE-13294-branch-1.patch
          62 kB
          Srikanth Srungarapu

        Issue Links

          Activity

            People

              srikanth235 Srikanth Srungarapu
              srikanth235 Srikanth Srungarapu
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: