From 8eb163e1ba8a94d480da40503ec5efad55bfa044 Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Thu, 4 Dec 2014 10:26:46 +0530 Subject: [PATCH] HBASE-12634 Fix the AccessController#requireGlobalPermission(ns) with NS --- .../hbase/security/access/AccessController.java | 3 +- .../security/access/TestNamespaceCommands.java | 47 +++++++++++++++++++--- 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 1218368..95487a3 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -497,7 +497,8 @@ public class AccessController extends BaseMasterAndRegionObserver private void requireGlobalPermission(String request, Action perm, String namespace) throws IOException { User user = getActiveUser(); - if (authManager.authorize(user, perm)) { + if (authManager.authorize(user, perm) + || (namespace != null && authManager.authorize(user, namespace, perm))) { logResult(AuthResult.allow(request, "Global check allowed", user, perm, namespace)); } else { logResult(AuthResult.deny(request, "Global check failed", user, perm, namespace)); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 0f28c66..9646a39 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -71,6 +71,8 @@ public class TestNamespaceCommands extends SecureTestUtil { private static User USER_CREATE; // user with permission on namespace for testing all operations. private static User USER_NSP_WRITE; + // user with admin permission on namespace for testing all operations. + private static User USER_NSP_ADMIN; private static String TEST_TABLE = TestNamespace + ":testtable"; private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); @@ -84,6 +86,7 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_RW = User.createUserForTesting(conf, "rw_user", new String[0]); USER_CREATE = User.createUserForTesting(conf, "create_user", new String[0]); USER_NSP_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]); + USER_NSP_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]); UTIL.startMiniCluster(); // Wait for the ACL table to become available @@ -97,6 +100,8 @@ public class TestNamespaceCommands extends SecureTestUtil { grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(), TestNamespace, Permission.Action.WRITE, Permission.Action.CREATE); + + grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TestNamespace, Permission.Action.ADMIN); } @AfterClass @@ -118,7 +123,7 @@ public class TestNamespaceCommands extends SecureTestUtil { assertTrue(result != null); ListMultimap perms = AccessControlLists.getNamespacePermissions(conf, TestNamespace); - assertEquals(2, perms.size()); + assertEquals(3, perms.size()); List namespacePerms = perms.get(userTestNamespace); assertTrue(perms.containsKey(userTestNamespace)); assertEquals(1, namespacePerms.size()); @@ -134,7 +139,7 @@ public class TestNamespaceCommands extends SecureTestUtil { Permission.Action.WRITE); perms = AccessControlLists.getNamespacePermissions(conf, TestNamespace); - assertEquals(1, perms.size()); + assertEquals(2, perms.size()); } finally { acl.close(); } @@ -150,12 +155,42 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; // verify that superuser or hbase admin can modify namespaces. - verifyAllowed(modifyNamespace, SUPERUSER); + verifyAllowed(modifyNamespace, SUPERUSER, USER_NSP_ADMIN); // all others should be denied verifyDenied(modifyNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW); } @Test + public void testCreateNamespace() throws Exception { + AccessTestAction createNamespace = new AccessTestAction() { + public Object run() throws Exception { + ACCESS_CONTROLLER.preCreateNamespace(ObserverContext.createAndPrepare(CP_ENV, null), + NamespaceDescriptor.create(TestNamespace).addConfiguration("abc", "156").build()); + return null; + } + }; + // verify that superuser or hbase admin can create namespaces. + verifyAllowed(createNamespace, SUPERUSER, USER_NSP_ADMIN); + // all others should be denied + verifyDenied(createNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW); + } + + @Test + public void testDeleteNamespace() throws Exception { + AccessTestAction deleteNamespace = new AccessTestAction() { + public Object run() throws Exception { + ACCESS_CONTROLLER.preDeleteNamespace(ObserverContext.createAndPrepare(CP_ENV, null), + TestNamespace); + return null; + } + }; + // verify that superuser or hbase admin can delete namespaces. + verifyAllowed(deleteNamespace, SUPERUSER, USER_NSP_ADMIN); + // all others should be denied + verifyDenied(deleteNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW); + } + + @Test public void testGrantRevoke() throws Exception{ final String testUser = "testUser"; @@ -195,10 +230,10 @@ public class TestNamespaceCommands extends SecureTestUtil { // Only HBase super user should be able to grant and revoke permissions to // namespaces - verifyAllowed(grantAction, SUPERUSER); + verifyAllowed(grantAction, SUPERUSER, USER_NSP_ADMIN); verifyDenied(grantAction, USER_CREATE, USER_RW); - verifyAllowed(revokeAction, SUPERUSER); - verifyDenied(revokeAction, USER_CREATE, USER_RW); + verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN); + verifyDenied(revokeAction, USER_CREATE, USER_RW); } @Test -- 1.9.2.msysgit.0