You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by st...@apache.org on 2020/12/28 18:58:50 UTC
[hbase] branch branch-2.4 updated: HBASE-25432: branch-2.4 add
security checks for setTableStateInMeta and fixMeta (#2817)
This is an automated email from the ASF dual-hosted git repository.
stack pushed a commit to branch branch-2.4
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2.4 by this push:
new c3d755e HBASE-25432: branch-2.4 add security checks for setTableStateInMeta and fixMeta (#2817)
c3d755e is described below
commit c3d755e3181de80f2f338886707d5c4699c91ebd
Author: lujiefsi <lu...@foxmail.com>
AuthorDate: Tue Dec 29 02:58:31 2020 +0800
HBASE-25432: branch-2.4 add security checks for setTableStateInMeta and fixMeta (#2817)
Signed-off-by: Duo Zhang <zh...@apache.org>
Signed-off-by: Viraj Jasani <vj...@apache.org>
---
.../hadoop/hbase/master/MasterRpcServices.java | 2 ++
.../hbase/security/access/SecureTestUtil.java | 4 +++
.../security/access/TestAccessController.java | 31 ++++++++++++++++++++++
3 files changed, 37 insertions(+)
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
index 76a2516..77d5918 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
@@ -2496,6 +2496,7 @@ public class MasterRpcServices extends RSRpcServices implements
@Override
public GetTableStateResponse setTableStateInMeta(RpcController controller,
SetTableStateInMetaRequest request) throws ServiceException {
+ rpcPreCheck("setTableStateInMeta");
TableName tn = ProtobufUtil.toTableName(request.getTableName());
try {
TableState prevState = this.master.getTableStateManager().getTableState(tn);
@@ -2701,6 +2702,7 @@ public class MasterRpcServices extends RSRpcServices implements
@Override
public FixMetaResponse fixMeta(RpcController controller, FixMetaRequest request)
throws ServiceException {
+ rpcPreCheck("fixMeta");
try {
MetaFixer mf = new MetaFixer(this.master);
mf.fix();
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
index a84b492..5fdeaf2 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
@@ -52,6 +52,7 @@ import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.MasterObserver;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.io.hfile.HFile;
+import org.apache.hadoop.hbase.ipc.RemoteWithExtrasException;
import org.apache.hadoop.hbase.regionserver.HRegion;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
@@ -249,6 +250,9 @@ public class SecureTestUtil {
// is buried in the stack trace
Throwable ex = e;
do {
+ if (ex instanceof RemoteWithExtrasException) {
+ ex = ((RemoteWithExtrasException) ex).unwrapRemoteException();
+ }
if (ex instanceof AccessDeniedException) {
isAccessDeniedException = true;
break;
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 40823a0..28f1b79 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -65,6 +65,7 @@ import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get;
+import org.apache.hadoop.hbase.client.Hbck;
import org.apache.hadoop.hbase.client.Increment;
import org.apache.hadoop.hbase.client.MasterSwitchType;
import org.apache.hadoop.hbase.client.Put;
@@ -74,7 +75,9 @@ import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.SnapshotDescription;
import org.apache.hadoop.hbase.client.Table;
+import org.apache.hadoop.hbase.client.TableState;
import org.apache.hadoop.hbase.client.security.SecurityCapability;
+
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.ObserverContextImpl;
@@ -374,6 +377,34 @@ public class TestAccessController extends SecureTestUtil {
}
@Test
+ public void testUnauthorizedSetTableStateInMeta() throws Exception {
+ AccessTestAction action = () -> {
+ try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+ Hbck hbck = conn.getHbck()){
+ hbck.setTableStateInMeta(new TableState(TEST_TABLE, TableState.State.DISABLED));
+ }
+ return null;
+ };
+
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
+ }
+
+ @Test
+ public void testUnauthorizedFixMeta() throws Exception {
+ AccessTestAction action = () -> {
+ try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+ Hbck hbck = conn.getHbck()){
+ hbck.fixMeta();
+ }
+ return null;
+ };
+
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
+ }
+
+ @Test
public void testSecurityCapabilities() throws Exception {
List<SecurityCapability> capabilities = TEST_UTIL.getConnection().getAdmin()
.getSecurityCapabilities();