From 577c46d3beb1b2b2f5ebcdcc66ac3d8a7594ed4a Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Fri, 5 Dec 2014 16:28:17 +0530 Subject: [PATCH] HBASE-12348 preModifyColumn and preDeleteColumn in AC denies user to perform its operation though it has required rights --- .../hadoop/hbase/security/access/AccessController.java | 7 ++++--- .../hbase/security/access/TestAccessController.java | 17 ++++++++++++----- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 3704dd0..757284d 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -992,19 +992,20 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preAddColumn(ObserverContext c, TableName tableName, HColumnDescriptor column) throws IOException { - requirePermission("addColumn", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission("addColumn", tableName, column.getName(), null, Action.ADMIN, Action.CREATE); } @Override public void preModifyColumn(ObserverContext c, TableName tableName, HColumnDescriptor descriptor) throws IOException { - requirePermission("modifyColumn", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission("modifyColumn", tableName, descriptor.getName(), null, Action.ADMIN, + Action.CREATE); } @Override public void preDeleteColumn(ObserverContext c, TableName tableName, byte[] col) throws IOException { - requirePermission("deleteColumn", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission("deleteColumn", tableName, col, null, Action.ADMIN, Action.CREATE); } @Override diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 0aeb346..9b7c0aa 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -154,6 +154,8 @@ public class TestAccessController extends SecureTestUtil { private static User USER_CREATE; // user with no permissions private static User USER_NONE; + // user with admin rights on the column family + private static User USER_ADMIN_CF; private static TableName TEST_TABLE2 = TableName.valueOf("testtable2"); private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); @@ -208,6 +210,7 @@ public class TestAccessController extends SecureTestUtil { USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); + USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); } @AfterClass @@ -256,9 +259,13 @@ public class TestAccessController extends SecureTestUtil { TEST_TABLE.getTableName(), TEST_FAMILY, null, Permission.Action.READ); - assertEquals(4, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), + TEST_TABLE.getTableName(), TEST_FAMILY, null, + Permission.Action.ADMIN); + + assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); try { - assertEquals(4, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size()); + assertEquals(5, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size()); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.getUserPermissions. " + e.getStackTrace()); } @@ -373,7 +380,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @@ -388,7 +395,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @@ -2448,7 +2455,7 @@ public class TestAccessController extends SecureTestUtil { List perms = testUserPerms.runAs(getPrivilegedAction(regex)); assertNotNull(perms); // USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms has row each. - assertEquals(5, perms.size()); + assertEquals(6, perms.size()); } -- 1.9.2.msysgit.0