accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject accumulo git commit: ACCUMULO-1318 Remove restriction on grant/revoke of System.GRANT
Date Thu, 05 Mar 2015 23:43:48 GMT
Repository: accumulo
Updated Branches:
  refs/heads/master 6c6e4f4e7 -> 76ddd9105


ACCUMULO-1318 Remove restriction on grant/revoke of System.GRANT

This assertion isn't relevant in every situation as previously
intended, specifically for Kerberos.


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/76ddd910
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/76ddd910
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/76ddd910

Branch: refs/heads/master
Commit: 76ddd91055182bacf1069f76d4f9c05c5beb8575
Parents: 6c6e4f4
Author: Josh Elser <elserj@apache.org>
Authored: Thu Mar 5 15:17:38 2015 -0800
Committer: Josh Elser <elserj@apache.org>
Committed: Thu Mar 5 15:17:38 2015 -0800

----------------------------------------------------------------------
 .../server/security/SecurityOperation.java      |  7 ----
 .../accumulo/test/functional/PermissionsIT.java | 43 +++++++++++++-------
 2 files changed, 28 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/76ddd910/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
index c646bba..32ff616 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
@@ -534,9 +534,6 @@ public class SecurityOperation {
 
   public boolean canGrantSystem(TCredentials c, String user, SystemPermission sysPerm) throws
ThriftSecurityException {
     authenticate(c);
-    // can't grant GRANT
-    if (sysPerm.equals(SystemPermission.GRANT))
-      throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.GRANT_INVALID);
     return hasSystemPermission(c, SystemPermission.GRANT, false);
   }
 
@@ -566,10 +563,6 @@ public class SecurityOperation {
     if (user.equals(getRootUsername()))
       throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
 
-    // can't revoke GRANT
-    if (sysPerm.equals(SystemPermission.GRANT))
-      throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.GRANT_INVALID);
-
     return hasSystemPermission(c, SystemPermission.GRANT, false);
   }
 

http://git-wip-us.apache.org/repos/asf/accumulo/blob/76ddd910/test/src/test/java/org/apache/accumulo/test/functional/PermissionsIT.java
----------------------------------------------------------------------
diff --git a/test/src/test/java/org/apache/accumulo/test/functional/PermissionsIT.java b/test/src/test/java/org/apache/accumulo/test/functional/PermissionsIT.java
index 2f8a83d..d3021f1 100644
--- a/test/src/test/java/org/apache/accumulo/test/functional/PermissionsIT.java
+++ b/test/src/test/java/org/apache/accumulo/test/functional/PermissionsIT.java
@@ -16,6 +16,9 @@
  */
 package org.apache.accumulo.test.functional;
 
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.HashMap;
@@ -102,17 +105,6 @@ public class PermissionsIT extends AccumuloClusterIT {
     for (SystemPermission perm : SystemPermission.values()) {
       log.debug("Verifying the " + perm + " permission");
 
-      // verify GRANT can't be granted
-      if (perm.equals(SystemPermission.GRANT)) {
-        try {
-          c.securityOperations().grantSystemPermission(principal, perm);
-        } catch (AccumuloSecurityException e) {
-          verifyHasNoSystemPermissions(c, principal, perm);
-          continue;
-        }
-        throw new IllegalStateException("Should NOT be able to grant GRANT");
-      }
-
       // test permission before and after granting it
       String tableNamePrefix = getUniqueNames(1)[0];
       testMissingSystemPermission(tableNamePrefix, c, rootUser, test_user_conn, testUser,
perm);
@@ -229,11 +221,11 @@ public class PermissionsIT extends AccumuloClusterIT {
           test_user_conn.securityOperations().dropLocalUser(user);
           throw new IllegalStateException("Should NOT be able to delete a user");
         } catch (AccumuloSecurityException e) {
-          AuthenticationToken userToken = testUser.getToken();
           loginAs(rootUser);
-          if (e.getSecurityErrorCode() != SecurityErrorCode.PERMISSION_DENIED
-              || (userToken instanceof PasswordToken && !root_conn.securityOperations().authenticateUser(user,
userToken)))
+          if (e.getSecurityErrorCode() != SecurityErrorCode.PERMISSION_DENIED || !root_conn.securityOperations().listLocalUsers().contains(user))
{
+            log.info("Failed to authenticate as " + user);
             throw e;
+          }
         }
         break;
       case ALTER_USER:
@@ -323,6 +315,17 @@ public class PermissionsIT extends AccumuloClusterIT {
           // TODO Try to obtain a delegation token without the permission
         }
         break;
+      case GRANT:
+        loginAs(testUser);
+        try {
+          test_user_conn.securityOperations().grantSystemPermission(testUser.getPrincipal(),
SystemPermission.GRANT);
+          throw new IllegalStateException("Should NOT be able to grant System.GRANT to yourself");
+        } catch (AccumuloSecurityException e) {
+          // Expected
+          loginAs(rootUser);
+          assertFalse(root_conn.securityOperations().hasSystemPermission(testUser.getPrincipal(),
SystemPermission.GRANT));
+        }
+        break;
       default:
         throw new IllegalArgumentException("Unrecognized System Permission: " + perm);
     }
@@ -455,7 +458,17 @@ public class PermissionsIT extends AccumuloClusterIT {
           // TODO Try to obtain a delegation token with the permission
         }
         break;
-
+      case GRANT:
+        loginAs(rootUser);
+        root_conn.securityOperations().grantSystemPermission(testUser.getPrincipal(), SystemPermission.GRANT);
+        loginAs(testUser);
+        test_user_conn.securityOperations().grantSystemPermission(testUser.getPrincipal(),
SystemPermission.CREATE_TABLE);
+        loginAs(rootUser);
+        assertTrue("Test user should have CREATE_TABLE",
+            root_conn.securityOperations().hasSystemPermission(testUser.getPrincipal(), SystemPermission.CREATE_TABLE));
+        assertTrue("Test user should have GRANT", root_conn.securityOperations().hasSystemPermission(testUser.getPrincipal(),
SystemPermission.GRANT));
+        root_conn.securityOperations().revokeSystemPermission(testUser.getPrincipal(), SystemPermission.CREATE_TABLE);
+        break;
       default:
         throw new IllegalArgumentException("Unrecognized System Permission: " + perm);
     }


Mime
View raw message