You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ap...@apache.org on 2013/06/25 00:21:34 UTC
svn commit: r1496238 - in /hbase/trunk:
hbase-client/src/main/java/org/apache/hadoop/hbase/client/
hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/
hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/
hbase-server/src/main/java/o...
Author: apurtell
Date: Mon Jun 24 22:21:33 2013
New Revision: 1496238
URL: http://svn.apache.org/r1496238
Log:
HBASE-8692. [AccessController] Restrict HTableDescriptor enumeration
Modified:
hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/HBaseAdmin.java
hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/HConnectionManager.java
hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java
hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterObserver.java
hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java
hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java
hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java
hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
hbase/trunk/hbase-server/src/main/ruby/hbase/admin.rb
hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/coprocessor/TestMasterObserver.java
hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
hbase/trunk/hbase-server/src/test/ruby/hbase/admin_test.rb
Modified: hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/HBaseAdmin.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/HBaseAdmin.java?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/HBaseAdmin.java (original)
+++ hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/HBaseAdmin.java Mon Jun 24 22:21:33 2013
@@ -591,19 +591,14 @@ public class HBaseAdmin implements Abort
MasterMonitorKeepAliveConnection master = connection.getKeepAliveMasterMonitorService();
try {
GetTableDescriptorsRequest req =
- RequestConverter.buildGetTableDescriptorsRequest(null);
+ RequestConverter.buildGetTableDescriptorsRequest(tableName);
htds = master.getTableDescriptors(null, req);
} catch (ServiceException se) {
throw ProtobufUtil.getRemoteException(se);
} finally {
master.close();
}
- for (TableSchema ts : htds.getTableSchemaList()) {
- if (Bytes.equals(tableName, ts.getName().toByteArray())) {
- tableExists = true;
- break;
- }
- }
+ tableExists = !htds.getTableSchemaList().isEmpty();
if (!tableExists) {
break;
}
Modified: hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/HConnectionManager.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/HConnectionManager.java?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/HConnectionManager.java (original)
+++ hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/HConnectionManager.java Mon Jun 24 22:21:33 2013
@@ -2309,7 +2309,7 @@ public class HConnectionManager {
MasterMonitorKeepAliveConnection master = getKeepAliveMasterMonitorService();
try {
GetTableDescriptorsRequest req =
- RequestConverter.buildGetTableDescriptorsRequest(null);
+ RequestConverter.buildGetTableDescriptorsRequest((List<String>)null);
return ProtobufUtil.getHTableDescriptorArray(master.getTableDescriptors(null, req));
} catch (ServiceException se) {
throw ProtobufUtil.getRemoteException(se);
@@ -2351,17 +2351,15 @@ public class HConnectionManager {
GetTableDescriptorsResponse htds;
try {
GetTableDescriptorsRequest req =
- RequestConverter.buildGetTableDescriptorsRequest(null);
+ RequestConverter.buildGetTableDescriptorsRequest(tableName);
htds = master.getTableDescriptors(null, req);
} catch (ServiceException se) {
throw ProtobufUtil.getRemoteException(se);
} finally {
master.close();
}
- for (TableSchema ts : htds.getTableSchemaList()) {
- if (Bytes.equals(tableName, ts.getName().toByteArray())) {
- return HTableDescriptor.convert(ts);
- }
+ if (!htds.getTableSchemaList().isEmpty()) {
+ return HTableDescriptor.convert(htds.getTableSchemaList().get(0));
}
throw new TableNotFoundException(Bytes.toString(tableName));
}
Modified: hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java (original)
+++ hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java Mon Jun 24 22:21:33 2013
@@ -1115,6 +1115,19 @@ public final class RequestConverter {
}
/**
+ * Creates a protocol buffer GetTableDescriptorsRequest for a single table
+ *
+ * @param tableName the table name
+ * @return a GetTableDescriptorsRequest
+ */
+ public static GetTableDescriptorsRequest buildGetTableDescriptorsRequest(
+ final byte[] tableName) {
+ return GetTableDescriptorsRequest.newBuilder()
+ .addTableNames(Bytes.toString(tableName))
+ .build();
+ }
+
+ /**
* Creates a protocol buffer IsMasterRunningRequest
*
* @return a IsMasterRunningRequest
Modified: hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterObserver.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterObserver.java?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterObserver.java (original)
+++ hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterObserver.java Mon Jun 24 22:21:33 2013
@@ -343,4 +343,15 @@ public class BaseMasterObserver implemen
public void postDeleteSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot) throws IOException {
}
+
+ @Override
+ public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
+ List<String> tableNamesList, List<HTableDescriptor> descriptors) throws IOException {
+ }
+
+ @Override
+ public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
+ List<HTableDescriptor> descriptors) throws IOException {
+ }
+
}
Modified: hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java (original)
+++ hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java Mon Jun 24 22:21:33 2013
@@ -610,4 +610,23 @@ public interface MasterObserver extends
*/
void postDeleteSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot) throws IOException;
+
+ /**
+ * Called before a getTableDescriptors request has been processed.
+ * @param ctx the environment to interact with the framework and master
+ * @param tableNamesList the list of table names, or null if querying for all
+ * @param descriptors an empty list, can be filled with what to return if bypassing
+ * @throws IOException
+ */
+ void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
+ List<String> tableNamesList, List<HTableDescriptor> descriptors) throws IOException;
+
+ /**
+ * Called after a getTableDescriptors request has been processed.
+ * @param ctx the environment to interact with the framework and master
+ * @param descriptors the list of descriptors about to be returned
+ * @throws IOException
+ */
+ void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
+ List<HTableDescriptor> descriptors) throws IOException;
}
Modified: hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java (original)
+++ hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java Mon Jun 24 22:21:33 2013
@@ -1426,6 +1426,7 @@ MasterServices, Server {
SYNC,
ASYNC
}
+
/**
* Assigns balancer switch according to BalanceSwitchMode
* @param b new balancer switch
@@ -2409,33 +2410,55 @@ MasterServices, Server {
*/
public GetTableDescriptorsResponse getTableDescriptors(
RpcController controller, GetTableDescriptorsRequest req) throws ServiceException {
- GetTableDescriptorsResponse.Builder builder = GetTableDescriptorsResponse.newBuilder();
- if (req.getTableNamesCount() == 0) {
- // request for all TableDescriptors
- Map<String, HTableDescriptor> descriptors = null;
+ List<HTableDescriptor> descriptors = new ArrayList<HTableDescriptor>();
+
+ boolean bypass = false;
+ if (this.cpHost != null) {
try {
- descriptors = this.tableDescriptors.getAll();
- } catch (IOException e) {
- LOG.warn("Failed getting all descriptors", e);
- }
- if (descriptors != null) {
- for (HTableDescriptor htd : descriptors.values()) {
- builder.addTableSchema(htd.convert());
- }
+ bypass = this.cpHost.preGetTableDescriptors(req.getTableNamesList(), descriptors);
+ } catch (IOException ioe) {
+ throw new ServiceException(ioe);
}
}
- else {
- for (String s: req.getTableNamesList()) {
- HTableDescriptor htd = null;
+
+ if (!bypass) {
+ if (req.getTableNamesCount() == 0) {
+ // request for all TableDescriptors
+ Map<String, HTableDescriptor> descriptorMap = null;
try {
- htd = this.tableDescriptors.get(s);
+ descriptorMap = this.tableDescriptors.getAll();
} catch (IOException e) {
- LOG.warn("Failed getting descriptor for " + s, e);
+ LOG.warn("Failed getting all descriptors", e);
+ }
+ if (descriptorMap != null) {
+ descriptors.addAll(descriptorMap.values());
+ }
+ } else {
+ for (String s: req.getTableNamesList()) {
+ try {
+ HTableDescriptor desc = this.tableDescriptors.get(s);
+ if (desc != null) {
+ descriptors.add(desc);
+ }
+ } catch (IOException e) {
+ LOG.warn("Failed getting descriptor for " + s, e);
+ }
+ }
+ }
+
+ if (this.cpHost != null) {
+ try {
+ this.cpHost.postGetTableDescriptors(descriptors);
+ } catch (IOException ioe) {
+ throw new ServiceException(ioe);
}
- if (htd == null) continue;
- builder.addTableSchema(htd.convert());
}
}
+
+ GetTableDescriptorsResponse.Builder builder = GetTableDescriptorsResponse.newBuilder();
+ for (HTableDescriptor htd: descriptors) {
+ builder.addTableSchema(htd.convert());
+ }
return builder.build();
}
Modified: hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java (original)
+++ hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java Mon Jun 24 22:21:33 2013
@@ -1113,4 +1113,44 @@ public class MasterCoprocessorHost
}
}
}
+
+ public boolean preGetTableDescriptors(final List<String> tableNamesList,
+ final List<HTableDescriptor> descriptors) throws IOException {
+ boolean bypass = false;
+ ObserverContext<MasterCoprocessorEnvironment> ctx = null;
+ for (MasterEnvironment env : coprocessors) {
+ if (env.getInstance() instanceof MasterObserver) {
+ ctx = ObserverContext.createAndPrepare(env, ctx);
+ try {
+ ((MasterObserver) env.getInstance()).preGetTableDescriptors(ctx,
+ tableNamesList, descriptors);
+ } catch (Throwable e) {
+ handleCoprocessorThrowable(env, e);
+ }
+ bypass |= ctx.shouldBypass();
+ if (ctx.shouldComplete()) {
+ break;
+ }
+ }
+ }
+ return bypass;
+ }
+
+ public void postGetTableDescriptors(List<HTableDescriptor> descriptors) throws IOException {
+ ObserverContext<MasterCoprocessorEnvironment> ctx = null;
+ for (MasterEnvironment env: coprocessors) {
+ if (env.getInstance() instanceof MasterObserver) {
+ ctx = ObserverContext.createAndPrepare(env, ctx);
+ try {
+ ((MasterObserver)env.getInstance()).postGetTableDescriptors(ctx, descriptors);
+ } catch (Throwable e) {
+ handleCoprocessorThrowable(env, e);
+ }
+ if (ctx.shouldComplete()) {
+ break;
+ }
+ }
+ }
+ }
+
}
Modified: hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (original)
+++ hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java Mon Jun 24 22:21:33 2013
@@ -49,10 +49,13 @@ import org.apache.hadoop.hbase.client.Sc
import org.apache.hadoop.hbase.client.Durability;
import org.apache.hadoop.hbase.coprocessor.*;
import org.apache.hadoop.hbase.exceptions.CoprocessorException;
+import org.apache.hadoop.hbase.exceptions.TableNotDisabledException;
+import org.apache.hadoop.hbase.exceptions.TableNotFoundException;
import org.apache.hadoop.hbase.filter.CompareFilter;
import org.apache.hadoop.hbase.filter.FilterList;
import org.apache.hadoop.hbase.filter.ByteArrayComparable;
import org.apache.hadoop.hbase.ipc.RequestContext;
+import org.apache.hadoop.hbase.master.MasterServices;
import org.apache.hadoop.hbase.master.RegionPlan;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.ResponseConverter;
@@ -1361,4 +1364,38 @@ public class AccessController extends Ba
familyMap.put(family, qualifier != null ? ImmutableSet.of(qualifier) : null);
return familyMap;
}
+
+ @Override
+ public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
+ List<String> tableNamesList, List<HTableDescriptor> descriptors) throws IOException {
+ // If the list is empty, this is a request for all table descriptors and requires GLOBAL
+ // ADMIN privs.
+ if (tableNamesList == null || tableNamesList.isEmpty()) {
+ requireGlobalPermission("getTableDescriptors", Permission.Action.ADMIN, null, null);
+ }
+ // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the
+ // request can be granted.
+ else {
+ MasterServices masterServices = ctx.getEnvironment().getMasterServices();
+ for (String tableName: tableNamesList) {
+ // Do not deny if the table does not exist
+ byte[] nameAsBytes = Bytes.toBytes(tableName);
+ try {
+ masterServices.checkTableModifiable(nameAsBytes);
+ } catch (TableNotFoundException ex) {
+ // Skip checks for a table that does not exist
+ continue;
+ } catch (TableNotDisabledException ex) {
+ // We don't care about this
+ }
+ requirePermission("getTableDescriptors", nameAsBytes, null, null,
+ Permission.Action.ADMIN, Permission.Action.CREATE);
+ }
+ }
+ }
+
+ @Override
+ public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
+ List<HTableDescriptor> descriptors) throws IOException {
+ }
}
Modified: hbase/trunk/hbase-server/src/main/ruby/hbase/admin.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/main/ruby/hbase/admin.rb?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/main/ruby/hbase/admin.rb (original)
+++ hbase/trunk/hbase-server/src/main/ruby/hbase/admin.rb Mon Jun 24 22:21:33 2013
@@ -319,15 +319,7 @@ module Hbase
#----------------------------------------------------------------------------------------------
# Returns table's structure description
def describe(table_name)
- tables = @admin.listTables.to_a
- tables << org.apache.hadoop.hbase.HTableDescriptor::META_TABLEDESC
-
- tables.each do |t|
- # Found the table
- return t.to_s if t.getNameAsString == table_name
- end
-
- raise(ArgumentError, "Failed to find table named #{table_name}")
+ @admin.getTableDescriptor(table_name.to_java_bytes).to_s
end
#----------------------------------------------------------------------------------------------
Modified: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/coprocessor/TestMasterObserver.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/coprocessor/TestMasterObserver.java?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/coprocessor/TestMasterObserver.java (original)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/coprocessor/TestMasterObserver.java Mon Jun 24 22:21:33 2013
@@ -31,8 +31,6 @@ import java.util.Map;
import java.util.NavigableMap;
import java.util.concurrent.CountDownLatch;
-import junit.framework.Assert;
-
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
@@ -45,6 +43,7 @@ import org.apache.hadoop.hbase.master.Ma
import org.apache.hadoop.hbase.master.RegionPlan;
import org.apache.hadoop.hbase.master.RegionState;
import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.SnapshotDescription;
+import org.apache.hadoop.hbase.protobuf.generated.MasterMonitorProtos.GetTableDescriptorsRequest;
import org.apache.hadoop.hbase.protobuf.RequestConverter;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.regionserver.HRegionServer;
@@ -125,6 +124,8 @@ public class TestMasterObserver {
private boolean postDisableTableHandlerCalled;
private boolean preModifyTableHandlerCalled;
private boolean postModifyTableHandlerCalled;
+ private boolean preGetTableDescriptorsCalled;
+ private boolean postGetTableDescriptorsCalled;
public void enableBypass(boolean bypass) {
this.bypass = bypass;
@@ -183,6 +184,10 @@ public class TestMasterObserver {
postEnableTableHandlerCalled = false;
preDisableTableHandlerCalled = false;
postDisableTableHandlerCalled = false;
+ preModifyTableHandlerCalled = false;
+ postModifyTableHandlerCalled = false;
+ preGetTableDescriptorsCalled = false;
+ postGetTableDescriptorsCalled = false;
}
@Override
@@ -818,6 +823,22 @@ public class TestMasterObserver {
public boolean preDisableTableHandlerCalledOnly() {
return preDisableTableHandlerCalled && !postDisableTableHandlerCalled;
}
+
+ @Override
+ public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
+ List<String> tableNamesList, List<HTableDescriptor> descriptors) throws IOException {
+ preGetTableDescriptorsCalled = true;
+ }
+
+ @Override
+ public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
+ List<HTableDescriptor> descriptors) throws IOException {
+ postGetTableDescriptorsCalled = true;
+ }
+
+ public boolean wasGetTableDescriptorsCalled() {
+ return preGetTableDescriptorsCalled && postGetTableDescriptorsCalled;
+ }
}
private static HBaseTestingUtility UTIL = new HBaseTestingUtility();
@@ -1196,5 +1217,22 @@ public class TestMasterObserver {
}
}
-}
+ @Test
+ public void testTableDescriptorsEnumeration() throws Exception {
+ MiniHBaseCluster cluster = UTIL.getHBaseCluster();
+
+ HMaster master = cluster.getMaster();
+ MasterCoprocessorHost host = master.getCoprocessorHost();
+ CPMasterObserver cp = (CPMasterObserver)host.findCoprocessor(
+ CPMasterObserver.class.getName());
+ cp.resetStates();
+
+ GetTableDescriptorsRequest req =
+ RequestConverter.buildGetTableDescriptorsRequest((List<String>)null);
+ master.getTableDescriptors(null, req);
+ assertTrue("Coprocessor should be called on table descriptors request",
+ cp.wasGetTableDescriptorsCalled());
+ }
+
+}
Modified: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java (original)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java Mon Jun 24 22:21:33 2013
@@ -78,6 +78,7 @@ import org.apache.hadoop.hbase.regionser
import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost;
import org.apache.hadoop.hbase.regionserver.ScanType;
import org.apache.hadoop.hbase.exceptions.AccessDeniedException;
+import org.apache.hadoop.hbase.exceptions.TableNotFoundException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.Permission;
@@ -223,7 +224,12 @@ public class TestAccessController {
@After
public void tearDown() throws Exception {
// Clean the _acl_ table
- TEST_UTIL.deleteTable(TEST_TABLE.getTableName());
+ try {
+ TEST_UTIL.deleteTable(TEST_TABLE.getTableName());
+ } catch (TableNotFoundException ex) {
+ // Test deleted the table, no problem
+ LOG.info("Test deleted table " + Bytes.toString(TEST_TABLE.getTableName()));
+ }
assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
}
@@ -1980,4 +1986,85 @@ public class TestAccessController {
table.close();
}
}
+
+ @Test
+ public void testTableDescriptorsEnumeration() throws Exception {
+ User TABLE_ADMIN = User.createUserForTesting(conf, "UserA", new String[0]);
+
+ // Grant TABLE ADMIN privs
+ HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+ try {
+ BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName());
+ AccessControlService.BlockingInterface protocol =
+ AccessControlService.newBlockingStub(service);
+ ProtobufUtil.grant(protocol, TABLE_ADMIN.getShortName(), TEST_TABLE.getTableName(),
+ null, null, Permission.Action.ADMIN);
+ } finally {
+ acl.close();
+ }
+
+ PrivilegedExceptionAction listTablesAction = new PrivilegedExceptionAction() {
+ public Object run() throws Exception {
+ HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration());
+ try {
+ admin.listTables();
+ } finally {
+ admin.close();
+ }
+ return null;
+ }
+ };
+
+ PrivilegedExceptionAction getTableDescAction = new PrivilegedExceptionAction() {
+ public Object run() throws Exception {
+ HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration());
+ try {
+ admin.getTableDescriptor(TEST_TABLE.getTableName());
+ } finally {
+ admin.close();
+ }
+ return null;
+ }
+ };
+
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN);
+ verifyDenied(listTablesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, TABLE_ADMIN);
+
+ verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN);
+ verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
+ }
+
+ @Test
+ public void testTableDeletion() throws Exception {
+ User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]);
+
+ // Grant TABLE ADMIN privs
+ HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+ try {
+ BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName());
+ AccessControlService.BlockingInterface protocol =
+ AccessControlService.newBlockingStub(service);
+ ProtobufUtil.grant(protocol, TABLE_ADMIN.getShortName(), TEST_TABLE.getTableName(),
+ null, null, Permission.Action.ADMIN);
+ } finally {
+ acl.close();
+ }
+
+ PrivilegedExceptionAction deleteTableAction = new PrivilegedExceptionAction() {
+ public Object run() throws Exception {
+ HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration());
+ try {
+ admin.disableTable(TEST_TABLE.getTableName());
+ admin.deleteTable(TEST_TABLE.getTableName());
+ } finally {
+ admin.close();
+ }
+ return null;
+ }
+ };
+
+ verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(deleteTableAction, TABLE_ADMIN);
+ }
+
}
Modified: hbase/trunk/hbase-server/src/test/ruby/hbase/admin_test.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/ruby/hbase/admin_test.rb?rev=1496238&r1=1496237&r2=1496238&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/test/ruby/hbase/admin_test.rb (original)
+++ hbase/trunk/hbase-server/src/test/ruby/hbase/admin_test.rb Mon Jun 24 22:21:33 2013
@@ -191,7 +191,7 @@ module Hbase
#-------------------------------------------------------------------------------
define_test "describe should fail for non-existent tables" do
- assert_raise(ArgumentError) do
+ assert_raise(NativeException) do
admin.describe('.NOT.EXISTS.')
end
end