You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ap...@apache.org on 2015/08/12 03:00:49 UTC
[2/2] hbase git commit: HBASE-14057 HBase shell user_permission
should list super users defined on hbase-site.xml
HBASE-14057 HBase shell user_permission should list super users defined on hbase-site.xml
Conflicts:
hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/2eb2017c
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/2eb2017c
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/2eb2017c
Branch: refs/heads/0.98
Commit: 2eb2017c1b7f9e17dcd95e3f1eacdc17bd735b03
Parents: 2ad8da9
Author: Srikanth Srungarapu <ss...@cloudera.com>
Authored: Tue Jul 28 11:43:24 2015 -0700
Committer: Andrew Purtell <ap...@apache.org>
Committed: Tue Aug 11 17:39:29 2015 -0700
----------------------------------------------------------------------
.../hadoop/hbase/security/Superusers.java | 4 +++
.../hbase/security/access/AccessController.java | 19 +++++++++----
.../security/access/TestAccessController.java | 30 ++++++++++++++------
3 files changed, 39 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/2eb2017c/hbase-common/src/main/java/org/apache/hadoop/hbase/security/Superusers.java
----------------------------------------------------------------------
diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/Superusers.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/Superusers.java
index 3374343..b196961 100644
--- a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/Superusers.java
+++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/Superusers.java
@@ -119,4 +119,8 @@ public final class Superusers {
}
return false;
}
+
+ public static List<String> getSuperUsers() {
+ return superUsers;
+ }
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/hbase/blob/2eb2017c/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 11caabc..36394a3 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -1113,7 +1113,7 @@ public class AccessController extends BaseMasterAndRegionObserver
@Override
public Void run() throws Exception {
UserPermission userperm = new UserPermission(Bytes.toBytes(owner),
- htd.getTableName(), null, Action.values());
+ htd.getTableName(), null, Action.values());
AccessControlLists.addUserPermission(conf, userperm);
return null;
}
@@ -1130,7 +1130,7 @@ public class AccessController extends BaseMasterAndRegionObserver
public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,
HColumnDescriptor descriptor) throws IOException {
requirePermission("modifyColumn", tableName, descriptor.getName(), null, Action.ADMIN,
- Action.CREATE);
+ Action.CREATE);
}
@Override
@@ -1284,7 +1284,7 @@ public class AccessController extends BaseMasterAndRegionObserver
}
});
this.authManager.getZKPermissionWatcher().deleteNamespaceACLNode(namespace);
- LOG.info(namespace + " entry deleted in "+AccessControlLists.ACL_TABLE_NAME+" table.");
+ LOG.info(namespace + " entry deleted in " + AccessControlLists.ACL_TABLE_NAME + " table.");
}
@Override
@@ -1710,7 +1710,7 @@ public class AccessController extends BaseMasterAndRegionObserver
Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
User user = getActiveUser();
AuthResult authResult = permissionGranted(OpType.CHECK_AND_DELETE, user, env, families,
- Action.READ, Action.WRITE);
+ Action.READ, Action.WRITE);
logResult(authResult);
if (!authResult.isAllowed()) {
if (cellFeaturesEnabled && !compatibleEarlyTermination) {
@@ -1762,7 +1762,7 @@ public class AccessController extends BaseMasterAndRegionObserver
Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
User user = getActiveUser();
AuthResult authResult = permissionGranted(OpType.INCREMENT_COLUMN_VALUE, user, env, families,
- Action.WRITE);
+ Action.WRITE);
if (!authResult.isAllowed() && cellFeaturesEnabled && !compatibleEarlyTermination) {
authResult.setAllowed(checkCoveringPermission(OpType.INCREMENT_COLUMN_VALUE, env, row,
families, HConstants.LATEST_TIMESTAMP, Action.WRITE));
@@ -1948,7 +1948,7 @@ public class AccessController extends BaseMasterAndRegionObserver
LOG.trace("Carrying forward ACLs from " + oldCell + ": " + perms);
}
tags.add(new Tag(AccessControlLists.ACL_TAG_TYPE,
- ProtobufUtil.toUsersAndPermissions(perms).toByteArray()));
+ ProtobufUtil.toUsersAndPermissions(perms).toByteArray()));
}
}
@@ -2237,6 +2237,13 @@ public class AccessController extends BaseMasterAndRegionObserver
return AccessControlLists.getUserPermissions(regionEnv.getConfiguration(), null);
}
});
+ // Adding superusers explicitly to the result set as AccessControlLists do not store them.
+ // Also using acl as table name to be inline with the results of global admin and will
+ // help in avoiding any leakage of information about being superusers.
+ for (String user: Superusers.getSuperUsers()) {
+ perms.add(new UserPermission(user.getBytes(), AccessControlLists.ACL_TABLE_NAME, null,
+ Action.values()));
+ }
}
response = ResponseConverter.buildGetUserPermissionsResponse(perms);
} else {
http://git-wip-us.apache.org/repos/asf/hbase/blob/2eb2017c/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index a7ec07f..0e33aac 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -25,6 +25,7 @@ import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import java.io.IOException;
+import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.NavigableMap;
@@ -94,6 +95,7 @@ import org.apache.hadoop.hbase.regionserver.HRegionServer;
import org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost;
import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost;
import org.apache.hadoop.hbase.regionserver.ScanType;
+import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.hadoop.hbase.testclassification.LargeTests;
@@ -419,7 +421,7 @@ public class TestAccessController extends SecureTestUtil {
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
- USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@@ -663,7 +665,7 @@ public class TestAccessController extends SecureTestUtil {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
- USER_GROUP_WRITE, USER_GROUP_CREATE);
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -739,7 +741,7 @@ public class TestAccessController extends SecureTestUtil {
private void verifyReadWrite(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ,
- USER_GROUP_WRITE);
+ USER_GROUP_WRITE);
}
@Test
@@ -1100,7 +1102,7 @@ public class TestAccessController extends SecureTestUtil {
verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
- USER_GROUP_WRITE, USER_GROUP_CREATE);
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
try {
verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
@@ -1391,6 +1393,11 @@ public class TestAccessController extends SecureTestUtil {
}
}
+ private boolean hasFoundUserPermission(List<UserPermission> userPermissions,
+ List<UserPermission> perms) {
+ return perms.containsAll(userPermissions);
+ }
+
private boolean hasFoundUserPermission(UserPermission userPermission, List<UserPermission> perms) {
return perms.contains(userPermission);
}
@@ -1661,10 +1668,17 @@ public class TestAccessController extends SecureTestUtil {
} finally {
acl.close();
}
- UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
- AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
- assertTrue("Only global users and user admin has permission on table _acl_ per setup",
- perms.size() == 5 && hasFoundUserPermission(adminPerm, perms));
+ List<UserPermission> adminPerms = new ArrayList<UserPermission>();
+ adminPerms.add(new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
+ AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")));
+ List<String> superUsers = Superusers.getSuperUsers();
+ for(String user: superUsers) {
+ adminPerms.add(new UserPermission(Bytes.toBytes(user), AccessControlLists.ACL_TABLE_NAME,
+ null, null, Action.values()));
+ }
+ assertTrue("Only super users, global users and user admin has permission on table hbase:acl " +
+ "per setup", perms.size() == 5 + superUsers.size() &&
+ hasFoundUserPermission(adminPerms, perms));
}
/** global operations */