From 2cfd104f6dcb1c057904aa5c54f43dfa24f0bc72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Istv=C3=A1n=20T=C3=B3th?= Date: Fri, 14 Jun 2019 13:38:01 +0200 Subject: [PATCH] HBASE-22581 user with "CREATE" permission can grant, but not revoke permissions on created table Unit test only, as the this branch does not have the bug --- .../security/access/TestAccessController.java | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 31f2adf790..ab968c7f7d 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -3699,4 +3699,42 @@ public class TestAccessController extends SecureTestUtil { } } } + + /* + * Check that table scope ADMIN permission lets the user run both grant and revoke + */ + @Test + public void testTableAdmin() throws Exception { + + // Create a user with table admin permissions only + User userTableAdmin = User.createUserForTesting(conf, "table_admin", new String[0]); + grantOnTable(TEST_UTIL, userTableAdmin.getShortName(), TEST_TABLE, null, null, + Permission.Action.ADMIN); + + AccessTestAction grantAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(conf)) { + conn.getAdmin().grant(new UserPermission(userTableAdmin.getShortName(), Permission + .newBuilder(TEST_TABLE).withActions(Action.READ).build()), + true); + } + return null; + } + }; + + AccessTestAction revokeAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(conf)) { + conn.getAdmin().revoke(new UserPermission(userTableAdmin.getShortName(), Permission + .newBuilder(TEST_TABLE).withActions(Action.READ).build())); + } + return null; + } + }; + + verifyAllowed(userTableAdmin, grantAction); + verifyAllowed(userTableAdmin, revokeAction); + } } -- 2.21.0 (Apple Git-120)