You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by ct...@apache.org on 2022/10/03 06:03:28 UTC

[accumulo] branch main updated: Revert "Added missing permission checks to ClientServiceHandler Thrift API methods (#2988)"

This is an automated email from the ASF dual-hosted git repository.

ctubbsii pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/accumulo.git


The following commit(s) were added to refs/heads/main by this push:
     new ac5a1227a7 Revert "Added missing permission checks to ClientServiceHandler Thrift API methods (#2988)"
ac5a1227a7 is described below

commit ac5a1227a743dd0fb50d90cda9f93d2b6c2d6edc
Author: Christopher Tubbs <ct...@apache.org>
AuthorDate: Mon Oct 3 01:46:48 2022 -0400

    Revert "Added missing permission checks to ClientServiceHandler Thrift API methods (#2988)"
    
    This reverts commit a5c9b3724ddfb5c24968272c0891da9723675472.
    
    This patch is not ready, and causes a lot of test failures. It should be
    re-applied after further consideration of desired behavior and after
    ensuring tests are not failing as a result of the change.
---
 .../server/client/ClientServiceHandler.java        | 91 +++++-----------------
 1 file changed, 18 insertions(+), 73 deletions(-)

diff --git a/server/base/src/main/java/org/apache/accumulo/server/client/ClientServiceHandler.java b/server/base/src/main/java/org/apache/accumulo/server/client/ClientServiceHandler.java
index 79f47b46c8..57ced4a3c8 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/client/ClientServiceHandler.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/client/ClientServiceHandler.java
@@ -293,6 +293,7 @@ public class ClientServiceHandler implements ClientService.Iface {
 
   private Map<String,String> conf(TCredentials credentials, AccumuloConfiguration conf)
       throws TException {
+    security.authenticateUser(credentials, credentials);
     conf.invalidateCache();
 
     Map<String,String> result = new HashMap<>();
@@ -307,11 +308,6 @@ public class ClientServiceHandler implements ClientService.Iface {
   @Override
   public Map<String,String> getConfiguration(TInfo tinfo, TCredentials credentials,
       ConfigurationType type) throws TException {
-    if (!security.hasSystemPermission(credentials, credentials.getPrincipal(),
-        SystemPermission.SYSTEM)) {
-      throw new ThriftSecurityException(credentials.getPrincipal(),
-          SecurityErrorCode.PERMISSION_DENIED);
-    }
     switch (type) {
       case CURRENT:
         context.getPropStore().getCache().remove(SystemPropKey.of(context));
@@ -325,70 +321,38 @@ public class ClientServiceHandler implements ClientService.Iface {
   }
 
   @Override
-  public Map<String,String> getSystemProperties(TInfo tinfo, TCredentials credentials)
-      throws ThriftSecurityException {
-    if (security.hasSystemPermission(credentials, credentials.getPrincipal(),
-        SystemPermission.SYSTEM)) {
-      return context.getPropStore().get(SystemPropKey.of(context)).asMap();
-    } else {
-      throw new ThriftSecurityException(credentials.getPrincipal(),
-          SecurityErrorCode.PERMISSION_DENIED);
-    }
+  public Map<String,String> getSystemProperties(TInfo tinfo, TCredentials credentials) {
+    return context.getPropStore().get(SystemPropKey.of(context)).asMap();
   }
 
   @Override
-  public TVersionedProperties getVersionedSystemProperties(TInfo tinfo, TCredentials credentials)
-      throws ThriftSecurityException {
-    if (security.hasSystemPermission(credentials, credentials.getPrincipal(),
-        SystemPermission.SYSTEM)) {
-      return Optional.of(context.getPropStore().get(SystemPropKey.of(context)))
-          .map(vProps -> new TVersionedProperties(vProps.getDataVersion(), vProps.asMap())).get();
-    } else {
-      throw new ThriftSecurityException(credentials.getPrincipal(),
-          SecurityErrorCode.PERMISSION_DENIED);
-    }
+  public TVersionedProperties getVersionedSystemProperties(TInfo tinfo, TCredentials credentials) {
+    return Optional.of(context.getPropStore().get(SystemPropKey.of(context)))
+        .map(vProps -> new TVersionedProperties(vProps.getDataVersion(), vProps.asMap())).get();
   }
 
   @Override
   public Map<String,String> getTableConfiguration(TInfo tinfo, TCredentials credentials,
       String tableName) throws TException, ThriftTableOperationException {
     TableId tableId = checkTableId(context, tableName, null);
-    if (security.hasTablePermission(credentials, credentials.getPrincipal(), tableId,
-        TablePermission.READ)) {
-      context.getPropStore().getCache().remove(TablePropKey.of(context, tableId));
-      AccumuloConfiguration config = context.getTableConfiguration(tableId);
-      return conf(credentials, config);
-    } else {
-      throw new ThriftSecurityException(credentials.getPrincipal(),
-          SecurityErrorCode.PERMISSION_DENIED);
-    }
+    context.getPropStore().getCache().remove(TablePropKey.of(context, tableId));
+    AccumuloConfiguration config = context.getTableConfiguration(tableId);
+    return conf(credentials, config);
   }
 
   @Override
   public Map<String,String> getTableProperties(TInfo tinfo, TCredentials credentials,
       String tableName) throws TException {
     final TableId tableId = checkTableId(context, tableName, null);
-    if (security.hasTablePermission(credentials, credentials.getPrincipal(), tableId,
-        TablePermission.READ)) {
-      return context.getPropStore().get(TablePropKey.of(context, tableId)).asMap();
-    } else {
-      throw new ThriftSecurityException(credentials.getPrincipal(),
-          SecurityErrorCode.PERMISSION_DENIED);
-    }
+    return context.getPropStore().get(TablePropKey.of(context, tableId)).asMap();
   }
 
   @Override
   public TVersionedProperties getVersionedTableProperties(TInfo tinfo, TCredentials credentials,
       String tableName) throws TException {
     final TableId tableId = checkTableId(context, tableName, null);
-    if (security.hasTablePermission(credentials, credentials.getPrincipal(), tableId,
-        TablePermission.READ)) {
-      return Optional.of(context.getPropStore().get(TablePropKey.of(context, tableId)))
-          .map(vProps -> new TVersionedProperties(vProps.getDataVersion(), vProps.asMap())).get();
-    } else {
-      throw new ThriftSecurityException(credentials.getPrincipal(),
-          SecurityErrorCode.PERMISSION_DENIED);
-    }
+    return Optional.of(context.getPropStore().get(TablePropKey.of(context, tableId)))
+        .map(vProps -> new TVersionedProperties(vProps.getDataVersion(), vProps.asMap())).get();
   }
 
   @Override
@@ -526,15 +490,9 @@ public class ClientServiceHandler implements ClientService.Iface {
       throw new ThriftTableOperationException(null, ns, null,
           TableOperationExceptionType.NAMESPACE_NOTFOUND, why);
     }
-    if (security.hasNamespacePermission(credentials, credentials.getPrincipal(), namespaceId,
-        NamespacePermission.READ)) {
-      context.getPropStore().getCache().remove(NamespacePropKey.of(context, namespaceId));
-      AccumuloConfiguration config = context.getNamespaceConfiguration(namespaceId);
-      return conf(credentials, config);
-    } else {
-      throw new ThriftSecurityException(credentials.getPrincipal(),
-          SecurityErrorCode.PERMISSION_DENIED);
-    }
+    context.getPropStore().getCache().remove(NamespacePropKey.of(context, namespaceId));
+    AccumuloConfiguration config = context.getNamespaceConfiguration(namespaceId);
+    return conf(credentials, config);
   }
 
   @Override
@@ -543,13 +501,7 @@ public class ClientServiceHandler implements ClientService.Iface {
     NamespaceId namespaceId;
     try {
       namespaceId = Namespaces.getNamespaceId(context, ns);
-      if (security.hasNamespacePermission(credentials, credentials.getPrincipal(), namespaceId,
-          NamespacePermission.READ)) {
-        return context.getPropStore().get(NamespacePropKey.of(context, namespaceId)).asMap();
-      } else {
-        throw new ThriftSecurityException(credentials.getPrincipal(),
-            SecurityErrorCode.PERMISSION_DENIED);
-      }
+      return context.getPropStore().get(NamespacePropKey.of(context, namespaceId)).asMap();
     } catch (NamespaceNotFoundException e) {
       String why = "Could not find namespace while getting configuration.";
       throw new ThriftTableOperationException(null, ns, null,
@@ -563,14 +515,8 @@ public class ClientServiceHandler implements ClientService.Iface {
     NamespaceId namespaceId;
     try {
       namespaceId = Namespaces.getNamespaceId(context, ns);
-      if (security.hasNamespacePermission(credentials, credentials.getPrincipal(), namespaceId,
-          NamespacePermission.READ)) {
-        return Optional.of(context.getPropStore().get(NamespacePropKey.of(context, namespaceId)))
-            .map(vProps -> new TVersionedProperties(vProps.getDataVersion(), vProps.asMap())).get();
-      } else {
-        throw new ThriftSecurityException(credentials.getPrincipal(),
-            SecurityErrorCode.PERMISSION_DENIED);
-      }
+      return Optional.of(context.getPropStore().get(NamespacePropKey.of(context, namespaceId)))
+          .map(vProps -> new TVersionedProperties(vProps.getDataVersion(), vProps.asMap())).get();
     } catch (NamespaceNotFoundException e) {
       String why = "Could not find namespace while getting configuration.";
       throw new ThriftTableOperationException(null, ns, null,
@@ -581,5 +527,4 @@ public class ClientServiceHandler implements ClientService.Iface {
   public List<BulkImportStatus> getBulkLoadStatus() {
     return bulkImportStatus.getBulkLoadStatus();
   }
-
 }