You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by ct...@apache.org on 2015/04/07 23:55:26 UTC

accumulo git commit: ACCUMULO-3637 View auths with ALTER_USER

Repository: accumulo
Updated Branches:
  refs/heads/master 76ef574f4 -> 8b03718a7


ACCUMULO-3637 View auths with ALTER_USER


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/8b03718a
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/8b03718a
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/8b03718a

Branch: refs/heads/master
Commit: 8b03718a72ebee6574cf1fc52e38aa86cdc541d4
Parents: 76ef574
Author: Christopher Tubbs <ct...@apache.org>
Authored: Tue Apr 7 17:44:43 2015 -0400
Committer: Christopher Tubbs <ct...@apache.org>
Committed: Tue Apr 7 17:44:43 2015 -0400

----------------------------------------------------------------------
 .../server/security/SecurityOperation.java      |  5 ++-
 .../org/apache/accumulo/test/ShellServerIT.java | 44 ++++++++++++++++++++
 2 files changed, 47 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/8b03718a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
index 19f2219..f08742d 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
@@ -202,7 +202,7 @@ public class SecurityOperation {
           throw new ThriftSecurityException(creds.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
         }
       } catch (AccumuloSecurityException e) {
-        log.debug("AccumuloSecurityException",e);
+        log.debug("AccumuloSecurityException", e);
         throw e.asThriftException();
       }
     }
@@ -244,7 +244,8 @@ public class SecurityOperation {
 
     targetUserExists(user);
 
-    if (!credentials.getPrincipal().equals(user) && !hasSystemPermission(credentials, SystemPermission.SYSTEM, false))
+    if (!credentials.getPrincipal().equals(user) && !hasSystemPermission(credentials, SystemPermission.SYSTEM, false)
+        && !hasSystemPermission(credentials, SystemPermission.ALTER_USER, false))
       throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
 
     try {

http://git-wip-us.apache.org/repos/asf/accumulo/blob/8b03718a/test/src/test/java/org/apache/accumulo/test/ShellServerIT.java
----------------------------------------------------------------------
diff --git a/test/src/test/java/org/apache/accumulo/test/ShellServerIT.java b/test/src/test/java/org/apache/accumulo/test/ShellServerIT.java
index 56a6a70..7388af8 100644
--- a/test/src/test/java/org/apache/accumulo/test/ShellServerIT.java
+++ b/test/src/test/java/org/apache/accumulo/test/ShellServerIT.java
@@ -715,6 +715,50 @@ public class ShellServerIT extends SharedMiniClusterIT {
   }
 
   @Test
+  public void getAuths() throws Exception {
+    Assume.assumeFalse("test skipped for kerberos", getToken() instanceof KerberosToken);
+
+    // create two users with different auths
+    for (int i = 1; i <= 2; i++) {
+      String userName = name.getMethodName() + "user" + i;
+      String password = "password" + i;
+      String auths = "auth" + i + "A,auth" + i + "B";
+      ts.exec("createuser " + userName, true);
+      ts.exec(password, true);
+      ts.exec("addauths -u " + userName + " -s " + auths, true);
+    }
+
+    // get auths using root user, which has System.SYSTEM
+    ts.exec("getauths -u getAuthsuser1", true, "auth1A", true);
+    ts.exec("getauths -u getAuthsuser1", true, "auth1B", true);
+    ts.exec("getauths -u getAuthsuser2", true, "auth2A", true);
+    ts.exec("getauths -u getAuthsuser2", true, "auth2B", true);
+
+    // grant the first user the ability to see other users auths
+    ts.exec("grant -u getAuthsuser1 -s System.ALTER_USER", true);
+
+    // switch to first user (the one with the ALTER_USER perm)
+    ts.exec("user getAuthsuser1", true);
+    ts.exec("password1", true);
+
+    // get auths for self and other user
+    ts.exec("getauths -u getAuthsuser1", true, "auth1A", true);
+    ts.exec("getauths -u getAuthsuser1", true, "auth1B", true);
+    ts.exec("getauths -u getAuthsuser2", true, "auth2A", true);
+    ts.exec("getauths -u getAuthsuser2", true, "auth2B", true);
+
+    // switch to second user (the one without the ALTER_USER perm)
+    ts.exec("user getAuthsuser2", true);
+    ts.exec("password2", true);
+
+    // get auths for self, but not other user
+    ts.exec("getauths -u getAuthsuser2", true, "auth2A", true);
+    ts.exec("getauths -u getAuthsuser2", true, "auth2B", true);
+    ts.exec("getauths -u getAuthsuser1", false, "PERMISSION_DENIED", true);
+    ts.exec("getauths -u getAuthsuser1", false, "PERMISSION_DENIED", true);
+  }
+
+  @Test
   public void byeQuitExit() throws Exception {
     // bye, quit, exit
     for (String cmd : "bye quit exit".split(" ")) {