diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index d09829f..24fd50b 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -2108,6 +2108,7 @@ public class AccessController extends BaseMasterAndRegionObserver }); } else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) { final String namespace = request.getNamespaceName().toStringUtf8(); + requireGlobalPermission("userPermissions", Action.ADMIN, namespace); perms = User.runAsLoginUser(new PrivilegedExceptionAction>() { @Override public List run() throws Exception { @@ -2116,6 +2117,7 @@ public class AccessController extends BaseMasterAndRegionObserver } }); } else { + requirePermission("userPermissions", Action.ADMIN); perms = User.runAsLoginUser(new PrivilegedExceptionAction>() { @Override public List run() throws Exception { diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 668360f..89428f5 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -997,7 +997,7 @@ public class TestAccessController extends SecureTestUtil { } }; - AccessTestAction getPermissionsAction = new AccessTestAction() { + AccessTestAction getTablePermissionsAction = new AccessTestAction() { @Override public Object run() throws Exception { Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); @@ -1013,14 +1013,52 @@ public class TestAccessController extends SecureTestUtil { } }; + AccessTestAction getGlobalPermissionsAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.getUserPermissions(protocol); + } finally { + acl.close(); + } + return null; + } + }; + + AccessTestAction getNamespacePermissionsAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.getUserPermissions(protocol, NamespaceDescriptor.SYSTEM_NAMESPACE_NAME); + } finally { + acl.close(); + } + return null; + } + }; + verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER); verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getPermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(getPermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + + verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); + verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + + verifyAllowed(getNamespacePermissionsAction, SUPERUSER, USER_ADMIN); + verifyDenied(getNamespacePermissionsAction, USER_CREATE,USER_OWNER,USER_RW, USER_RO, USER_NONE); } @Test