You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "lujie (Jira)" <ji...@apache.org> on 2020/12/22 07:53:00 UTC
[jira] [Updated] (HBASE-25432) we should add security checks for
list_namespace_tables
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
lujie updated HBASE-25432:
--------------------------
Summary: we should add security checks for list_namespace_tables (was: we should add security checks for list_namespace_tables and fix securiry hole in listTableDescriptorsByNamespace)
> we should add security checks for list_namespace_tables
> -------------------------------------------------------
>
> Key: HBASE-25432
> URL: https://issues.apache.org/jira/browse/HBASE-25432
> Project: HBase
> Issue Type: Bug
> Reporter: lujie
> Priority: Major
>
> list_namespace_tables miss security check.
> listTableDescriptorsByNamespace has security check, but it is useless.
> code of listTableDescriptorsByNamespace is
>
> {code:java}
> public List<TableDescriptor> listTableDescriptorsByNamespace(String name) throws IOException {
> checkInitialized();
> return listTableDescriptors(name, null, null, true);
> }
> {code}
> listTableDescriptors code is
> {code:java}
> public List<TableDescriptor> listTableDescriptors(final String namespace, final String regex,
> final List<TableName> tableNameList, final boolean includeSysTables)
> throws IOException {
> List<TableDescriptor> htds = new ArrayList<>();
> if (cpHost != null) {
> cpHost.preGetTableDescriptors(tableNameList, htds, regex);
> }
> htds = getTableDescriptors(htds, namespace, regex, tableNameList, includeSysTables);
> if (cpHost != null) {
> cpHost.postGetTableDescriptors(tableNameList, htds, regex);
> }
> return htds;
> }
> {code}
> we can see that tableNameList is empty.
> in the AccessController, empty tableNameList is empty:
> {code:java}
> public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
> List<TableName> tableNamesList, List<TableDescriptor> descriptors,
> String regex) throws IOException {
> // We are delegating the authorization check to postGetTableDescriptors as we don't have
> // any concrete set of table names when a regex is present or the full list is requested.
> if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
> // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the
> // request can be granted.
> try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
> for (TableName tableName : tableNamesList) {
> // Skip checks for a table that does not exist
> if (!admin.tableExists(tableName)) {
> continue;
> }
> requirePermission(ctx, "getTableDescriptors", tableName, null, null, Action.ADMIN,
> Action.CREATE);
> }
> }
> }
> }
> {code}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)