You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ap...@apache.org on 2014/12/16 03:29:12 UTC
[2/4] hbase git commit: HBASE-12348 preModifyColumn and
preDeleteColumn in AC denies user to perform its operation though it has
required rights
HBASE-12348 preModifyColumn and preDeleteColumn in AC denies user to perform its operation though it has required rights
Signed-off-by: Andrew Purtell <ap...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/110c5f59
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/110c5f59
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/110c5f59
Branch: refs/heads/master
Commit: 110c5f593057366509b8480e396cc750d5fd782b
Parents: 065d03b
Author: Ashish Singhi <as...@huawei.com>
Authored: Mon Dec 15 17:43:19 2014 -0800
Committer: Andrew Purtell <ap...@apache.org>
Committed: Mon Dec 15 17:43:19 2014 -0800
----------------------------------------------------------------------
.../hbase/security/access/AccessController.java | 5 +++--
.../security/access/TestAccessController.java | 19 +++++++++++++------
2 files changed, 16 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/110c5f59/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index c7abb81..ce3d08b 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -1028,13 +1028,14 @@ public class AccessController extends BaseMasterAndRegionObserver
@Override
public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,
HColumnDescriptor descriptor) throws IOException {
- requirePermission("modifyColumn", tableName, null, null, Action.ADMIN, Action.CREATE);
+ requirePermission("modifyColumn", tableName, descriptor.getName(), null, Action.ADMIN,
+ Action.CREATE);
}
@Override
public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,
byte[] col) throws IOException {
- requirePermission("deleteColumn", tableName, null, null, Action.ADMIN, Action.CREATE);
+ requirePermission("deleteColumn", tableName, col, null, Action.ADMIN, Action.CREATE);
}
@Override
http://git-wip-us.apache.org/repos/asf/hbase/blob/110c5f59/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 28d33d9..11a131b 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -155,6 +155,8 @@ public class TestAccessController extends SecureTestUtil {
private static User USER_CREATE;
// user with no permissions
private static User USER_NONE;
+ // user with admin rights on the column family
+ private static User USER_ADMIN_CF;
// TODO: convert this test to cover the full matrix in
// https://hbase.apache.org/book/appendix_acl_matrix.html
@@ -213,6 +215,7 @@ public class TestAccessController extends SecureTestUtil {
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]);
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
+ USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
}
@AfterClass
@@ -261,9 +264,13 @@ public class TestAccessController extends SecureTestUtil {
TEST_TABLE.getTableName(), TEST_FAMILY, null,
Permission.Action.READ);
- assertEquals(4, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
+ grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(),
+ TEST_TABLE.getTableName(), TEST_FAMILY,
+ null, Permission.Action.ADMIN);
+
+ assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
try {
- assertEquals(4, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size());
+ assertEquals(5, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size());
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.getUserPermissions. ", e);
}
@@ -378,7 +385,7 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
verifyDenied(action, USER_RW, USER_RO, USER_NONE);
}
@@ -393,7 +400,7 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
verifyDenied(action, USER_RW, USER_RO, USER_NONE);
}
@@ -2542,8 +2549,8 @@ public class TestAccessController extends SecureTestUtil {
null, Action.ADMIN);
List<UserPermission> perms = testUserPerms.runAs(getPrivilegedAction(regex));
assertNotNull(perms);
- // USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms has row each.
- assertEquals(5, perms.size());
+ // USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has row each.
+ assertEquals(6, perms.size());
}
@Test