From 9c0c82238de045a1969e2b3fb6b5b4c21ba9cc76 Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Thu, 11 Dec 2014 11:36:58 +0530 Subject: [PATCH] HBASE-12348 preModifyColumn and preDeleteColumn in AC denies user to perform its operation though it has required rights --- .../hadoop/hbase/security/access/AccessController.java | 5 +++-- .../hbase/security/access/TestAccessController.java | 15 +++++++++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 506acee..a28884c 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -1022,13 +1022,14 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preModifyColumn(ObserverContext c, TableName tableName, HColumnDescriptor descriptor) throws IOException { - requirePermission("modifyColumn", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission("modifyColumn", tableName, descriptor.getName(), null, Action.ADMIN, + Action.CREATE); } @Override public void preDeleteColumn(ObserverContext c, TableName tableName, byte[] col) throws IOException { - requirePermission("deleteColumn", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission("deleteColumn", tableName, col, null, Action.ADMIN, Action.CREATE); } @Override diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 233d0f9..9d89d61 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -147,6 +147,8 @@ public class TestAccessController extends SecureTestUtil { private static User USER_CREATE; // user with no permissions private static User USER_NONE; + // user with admin rights on the column family + private static User USER_ADMIN_CF; // TODO: convert this test to cover the full matrix in // https://hbase.apache.org/book/appendix_acl_matrix.html @@ -204,6 +206,7 @@ public class TestAccessController extends SecureTestUtil { USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); + USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); } @AfterClass @@ -252,9 +255,13 @@ public class TestAccessController extends SecureTestUtil { TEST_TABLE.getTableName(), TEST_FAMILY, null, Permission.Action.READ); - assertEquals(4, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), + TEST_TABLE.getTableName(), TEST_FAMILY, + null, Permission.Action.ADMIN); + + assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); try { - assertEquals(4, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size()); + assertEquals(5, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size()); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.getUserPermissions. " + e.getStackTrace()); } @@ -369,7 +376,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @@ -384,7 +391,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } -- 1.9.2.msysgit.0