From a06b853aa110eb5b9b7ecdd26fbf30feac718cfc Mon Sep 17 00:00:00 2001 From: chenheng Date: Fri, 21 Aug 2015 14:10:28 +0800 Subject: [PATCH] HBASE-14265 we should forbid creating table using 'hbase' namespace except by superuser --- .../main/java/org/apache/hadoop/hbase/TableName.java | 4 ++++ .../java/org/apache/hadoop/hbase/master/HMaster.java | 7 +++++++ .../org/apache/hadoop/hbase/client/TestAdmin1.java | 18 ++++++++++++++++++ 3 files changed, 29 insertions(+) diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/TableName.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/TableName.java index 63066b3..77a907d 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/TableName.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/TableName.java @@ -270,6 +270,10 @@ public final class TableName implements Comparable { return systemTable; } + public boolean isSystemNamespace() { + return Bytes.equals(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME, namespace); + } + @Override public String toString() { return nameAsString; diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java index ca721e2..4c88bad 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java @@ -125,7 +125,9 @@ import org.apache.hadoop.hbase.regionserver.RSRpcServices; import org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost; import org.apache.hadoop.hbase.regionserver.RegionSplitPolicy; import org.apache.hadoop.hbase.replication.regionserver.Replication; +import org.apache.hadoop.hbase.security.AccessDeniedException; import org.apache.hadoop.hbase.security.UserProvider; +import org.apache.hadoop.hbase.security.access.AccessController; import org.apache.hadoop.hbase.util.Addressing; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.CompressionTest; @@ -1453,6 +1455,11 @@ public class HMaster extends HRegionServer implements MasterServices, Server { String namespace = hTableDescriptor.getTableName().getNamespaceAsString(); ensureNamespaceExists(namespace); + if (!AccessController.isAuthorizationSupported(conf) + && hTableDescriptor.getTableName().isSystemNamespace()) { + throw new AccessDeniedException("Can't create table under system namespace 'hbase'!"); + } + HRegionInfo[] newRegions = ModifyRegionUtils.createHRegionInfos(hTableDescriptor, splitKeys); checkInitialized(); sanityCheckTableDescriptor(hTableDescriptor); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/client/TestAdmin1.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/client/TestAdmin1.java index 33c151d..47c746a 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/client/TestAdmin1.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/client/TestAdmin1.java @@ -40,6 +40,7 @@ import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.HRegionInfo; import org.apache.hadoop.hbase.HRegionLocation; import org.apache.hadoop.hbase.HTableDescriptor; +import org.apache.hadoop.hbase.NamespaceDescriptor; import org.apache.hadoop.hbase.InvalidFamilyOperationException; import org.apache.hadoop.hbase.MasterNotRunningException; import org.apache.hadoop.hbase.MetaTableAccessor; @@ -50,6 +51,7 @@ import org.apache.hadoop.hbase.TableNotEnabledException; import org.apache.hadoop.hbase.TableNotFoundException; import org.apache.hadoop.hbase.ZooKeeperConnectionException; import org.apache.hadoop.hbase.exceptions.MergeRegionException; +import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.master.HMaster; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.RequestConverter; @@ -58,6 +60,8 @@ import org.apache.hadoop.hbase.protobuf.generated.MasterProtos.DispatchMergingRe import org.apache.hadoop.hbase.regionserver.HRegion; import org.apache.hadoop.hbase.regionserver.Store; import org.apache.hadoop.hbase.regionserver.StoreFile; +import org.apache.hadoop.hbase.security.AccessDeniedException; +import org.apache.hadoop.hbase.security.access.AccessController; import org.apache.hadoop.hbase.testclassification.ClientTests; import org.apache.hadoop.hbase.testclassification.LargeTests; import org.apache.hadoop.hbase.util.Bytes; @@ -90,6 +94,7 @@ public class TestAdmin1 { TEST_UTIL.getConfiguration().setInt("hbase.client.pause", 250); TEST_UTIL.getConfiguration().setInt("hbase.client.retries.number", 6); TEST_UTIL.getConfiguration().setBoolean("hbase.master.enabletable.roundrobin", true); + TEST_UTIL.getConfiguration().setBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, false); TEST_UTIL.startMiniCluster(3); } @@ -927,6 +932,19 @@ public class TestAdmin1 { } } + @Test (timeout = 300000) + public void testCreateTableInSystemNamespace() throws IOException { + assertFalse(AccessController.isAuthorizationSupported(TEST_UTIL.getConfiguration())); + TableName tableName = TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME, + Bytes.toBytes("testCreateTableInSystemNamespace")); + try { + admin.createTable(new HTableDescriptor(tableName)); + fail("Test case should fail as create table under system namespace."); + } catch (AccessDeniedException e) { + LOG.info("Expected ", e); + } + } + @Test (timeout=120000) public void testTableExist() throws IOException { final TableName table = TableName.valueOf("testTableExist"); -- 1.9.3 (Apple Git-50)