commit d1672d768a044e658c6c93ae8ba79e20909a1e47 Author: Guang Yang Date: 3 minutes ago HBASE-15942: Let users who have 'RWX' to be able to describe the table Signed-off-by: Guang Yang diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index f21d8e2..4f71772 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -440,14 +440,15 @@ public class AccessController extends BaseMasterAndRegionObserver for (Action permission : permissions) { if (authManager.authorize(user, tableName, family, qualifier, permission)) { result = AuthResult.allow(request, "Table permission granted", user, - permission, tableName, family, qualifier); + permission, tableName, family, qualifier); break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", user, - permission, tableName, family, qualifier); } } + if (result == null) { + // rest of the world + result = AuthResult.deny(request, "Insufficient permissions", user, + permissions.length == 0 ? null : permissions[0], tableName, family, qualifier); + } logResult(result); if (authorizationEnabled && !result.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); @@ -471,16 +472,16 @@ public class AccessController extends BaseMasterAndRegionObserver for (Action permission : permissions) { if (authManager.authorize(user, tableName, null, null, permission)) { result = AuthResult.allow(request, "Table permission granted", user, - permission, tableName, null, null); - result.getParams().setFamily(family).setQualifier(qualifier); + permission, tableName, null, null); break; - } else { - // rest of the world - result = AuthResult.deny(request, "Insufficient permissions", user, - permission, tableName, family, qualifier); - result.getParams().setFamily(family).setQualifier(qualifier); } } + if (result == null) { + // rest of the world + result = AuthResult.deny(request, "Insufficient permissions", user, + permissions.length == 0 ? null : permissions[0], tableName, family, qualifier); + } + result.getParams().setFamily(family).setQualifier(qualifier); logResult(result); if (authorizationEnabled && !result.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); @@ -2503,7 +2504,7 @@ public class AccessController extends BaseMasterAndRegionObserver if (!masterServices.getTableStateManager().isTablePresent(tableName)) continue; requirePermission("getTableDescriptors", tableName, null, null, - Action.ADMIN, Action.CREATE); + Action.ADMIN, Action.CREATE, Action.READ, Action.WRITE, Action.EXEC); } } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index f58e24e..4fc0a83 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -172,6 +172,10 @@ public class TestAccessController extends SecureTestUtil { private static User USER_NONE; // user with admin rights on the column family private static User USER_ADMIN_CF; + // user with read-only permission for all column families + private static User USER_RO_ALL_CF; + // user with rw permission on all column families + private static User USER_RW_ALL_CF; private static final String GROUP_ADMIN = "group_admin"; private static final String GROUP_CREATE = "group_create"; @@ -238,6 +242,8 @@ public class TestAccessController extends SecureTestUtil { USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); + USER_RO_ALL_CF = User.createUserForTesting(conf, "roallcfuser", new String[0]); + USER_RW_ALL_CF = User.createUserForTesting(conf, "rwallcfuser", new String[0]); USER_GROUP_ADMIN = User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); @@ -301,14 +307,21 @@ public class TestAccessController extends SecureTestUtil { TEST_TABLE, TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); + grantOnTable(TEST_UTIL, USER_RO_ALL_CF.getShortName(), + TEST_TABLE, null, null, Permission.Action.READ); + + grantOnTable(TEST_UTIL, USER_RW_ALL_CF.getShortName(), + TEST_TABLE, null, null, Permission.Action.READ, Action.WRITE); + + grantGlobal(TEST_UTIL, toGroupEntry(GROUP_ADMIN), Permission.Action.ADMIN); grantGlobal(TEST_UTIL, toGroupEntry(GROUP_CREATE), Permission.Action.CREATE); grantGlobal(TEST_UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ); grantGlobal(TEST_UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE); - assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); + assertEquals(7, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); try { - assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection, + assertEquals(7, AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString()).size()); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.getUserPermissions. ", e); @@ -414,6 +427,23 @@ public class TestAccessController extends SecureTestUtil { } @Test (timeout=180000) + public void testTableDescribe() throws Exception { + AccessTestAction describeTable = new AccessTestAction() { + @Override + public Object run() throws Exception { + final List tables = new ArrayList<>(); + tables.add(TEST_TABLE); + ACCESS_CONTROLLER.preGetTableDescriptors(ObserverContext.createAndPrepare(CP_ENV, null), + tables, null, null); + return null; + } + }; + + verifyAllowed(describeTable, USER_RO_ALL_CF, USER_RW_ALL_CF, USER_CREATE, USER_ADMIN); + verifyDenied(describeTable, USER_NONE); + } + + @Test (timeout=180000) public void testAddColumn() throws Exception { final HColumnDescriptor hcd = new HColumnDescriptor("fam_new"); AccessTestAction action = new AccessTestAction() {