You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by vj...@apache.org on 2021/01/07 13:39:05 UTC
[hbase] branch branch-2.2 updated: HBASE-25432: add security checks
for setTableStateInMeta and fixMeta (#2819)
This is an automated email from the ASF dual-hosted git repository.
vjasani pushed a commit to branch branch-2.2
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2.2 by this push:
new e355e26 HBASE-25432: add security checks for setTableStateInMeta and fixMeta (#2819)
e355e26 is described below
commit e355e266cefb0c6c3b41b6fd1d2feb15d4001ae7
Author: lujiefsi <lu...@foxmail.com>
AuthorDate: Tue Dec 29 02:59:29 2020 +0800
HBASE-25432: add security checks for setTableStateInMeta and fixMeta (#2819)
Signed-off-by: Duo Zhang <zh...@apache.org>
Signed-off-by: Viraj Jasani <vj...@apache.org>
---
.../hadoop/hbase/master/MasterRpcServices.java | 2 ++
.../hbase/security/access/SecureTestUtil.java | 4 +++
.../security/access/TestAccessController.java | 31 ++++++++++++++++++++++
3 files changed, 37 insertions(+)
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
index e3db7db..1eed54d 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
@@ -2368,6 +2368,7 @@ public class MasterRpcServices extends RSRpcServices
@Override
public GetTableStateResponse setTableStateInMeta(RpcController controller,
SetTableStateInMetaRequest request) throws ServiceException {
+ rpcPreCheck("setTableStateInMeta");
TableName tn = ProtobufUtil.toTableName(request.getTableName());
try {
TableState prevState = this.master.getTableStateManager().getTableState(tn);
@@ -2516,6 +2517,7 @@ public class MasterRpcServices extends RSRpcServices
@Override
public FixMetaResponse fixMeta(RpcController controller, FixMetaRequest request)
throws ServiceException {
+ rpcPreCheck("fixMeta");
try {
MetaFixer mf = new MetaFixer(this.master);
mf.fix();
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
index 341e7df..dd1335f 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
@@ -52,6 +52,7 @@ import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.MasterObserver;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.io.hfile.HFile;
+import org.apache.hadoop.hbase.ipc.RemoteWithExtrasException;
import org.apache.hadoop.hbase.regionserver.HRegion;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
@@ -249,6 +250,9 @@ public class SecureTestUtil {
// is buried in the stack trace
Throwable ex = e;
do {
+ if (ex instanceof RemoteWithExtrasException) {
+ ex = ((RemoteWithExtrasException) ex).unwrapRemoteException();
+ }
if (ex instanceof AccessDeniedException) {
isAccessDeniedException = true;
break;
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 1275605..651434b 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -65,6 +65,7 @@ import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get;
+import org.apache.hadoop.hbase.client.Hbck;
import org.apache.hadoop.hbase.client.Increment;
import org.apache.hadoop.hbase.client.MasterSwitchType;
import org.apache.hadoop.hbase.client.Put;
@@ -74,7 +75,9 @@ import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.SnapshotDescription;
import org.apache.hadoop.hbase.client.Table;
+import org.apache.hadoop.hbase.client.TableState;
import org.apache.hadoop.hbase.client.security.SecurityCapability;
+
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.ObserverContextImpl;
@@ -378,6 +381,34 @@ public class TestAccessController extends SecureTestUtil {
}
@Test
+ public void testUnauthorizedSetTableStateInMeta() throws Exception {
+ AccessTestAction action = () -> {
+ try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+ Hbck hbck = conn.getHbck()){
+ hbck.setTableStateInMeta(new TableState(TEST_TABLE, TableState.State.DISABLED));
+ }
+ return null;
+ };
+
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
+ }
+
+ @Test
+ public void testUnauthorizedFixMeta() throws Exception {
+ AccessTestAction action = () -> {
+ try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+ Hbck hbck = conn.getHbck()){
+ hbck.fixMeta();
+ }
+ return null;
+ };
+
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
+ }
+
+ @Test
public void testSecurityCapabilities() throws Exception {
List<SecurityCapability> capabilities = TEST_UTIL.getConnection().getAdmin()
.getSecurityCapabilities();