hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject svn commit: r1581939 - in /hbase/trunk/hbase-server/src: main/java/org/apache/hadoop/hbase/security/access/AccessController.java test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Date Wed, 26 Mar 2014 17:05:29 GMT
Author: apurtell
Date: Wed Mar 26 17:05:29 2014
New Revision: 1581939

URL: http://svn.apache.org/r1581939
Log:
HBASE-10838 Insufficient AccessController covering permission check (Anoop Sam John)

Modified:
    hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
    hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java

Modified: hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1581939&r1=1581938&r2=1581939&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
(original)
+++ hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Wed Mar 26 17:05:29 2014
@@ -503,7 +503,6 @@ public class AccessController extends Ba
     if (canPersistCellACLs) {
       Get get = new Get(row);
       if (timestamp != HConstants.LATEST_TIMESTAMP) get.setTimeStamp(timestamp);
-      get.setMaxResultsPerColumnFamily(1); // Hold down memory use on wide rows
       if (allVersions) {
         get.setMaxVersions();
       } else {
@@ -545,7 +544,8 @@ public class AccessController extends Ba
         boolean more = false;
         do {
           cells.clear();
-          more = scanner.next(cells);
+          // scan with limit as 1 to hold down memory use on wide rows
+          more = scanner.next(cells, 1);
           for (Cell cell: cells) {
             if (LOG.isTraceEnabled()) {
               LOG.trace("Found cell " + cell);

Modified: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java?rev=1581939&r1=1581938&r2=1581939&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
(original)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Wed Mar 26 17:05:29 2014
@@ -24,6 +24,8 @@ import static org.junit.Assert.assertTru
 import static org.junit.Assert.fail;
 
 import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.NavigableMap;
@@ -221,7 +223,9 @@ public class TestAccessController extend
     // Create the test table (owner added to the _acl_ table)
     HBaseAdmin admin = TEST_UTIL.getHBaseAdmin();
     HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName());
-    htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
+    HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY);
+    hcd.setMaxVersions(100);
+    htd.addFamily(hcd);
     htd.setOwner(USER_OWNER);
     admin.createTable(htd, new byte[][] { Bytes.toBytes("s") });
     TEST_UTIL.waitTableEnabled(TEST_TABLE.getTableName().getName());
@@ -1207,6 +1211,113 @@ public class TestAccessController extend
   }
 
   @Test
+  public void testCellPermissionsWithDeleteMutipleVersions() throws Exception {
+    // table/column/qualifier level permissions
+    final byte[] TEST_ROW1 = Bytes.toBytes("r1");
+    final byte[] TEST_ROW2 = Bytes.toBytes("r2");
+    final byte[] TEST_Q1 = Bytes.toBytes("q1");
+    final byte[] TEST_Q2 = Bytes.toBytes("q2");
+    final byte[] ZERO = Bytes.toBytes(0L);
+
+    // additional test user
+    final User user1 = User.createUserForTesting(conf, "user1", new String[0]);
+    final User user2 = User.createUserForTesting(conf, "user2", new String[0]);
+
+    verifyAllowed(new AccessTestAction() {
+      @Override
+      public Object run() throws Exception {
+        HTable t = new HTable(conf, TEST_TABLE.getTableName());
+        try {
+          // with rw ACL for "user1"
+          Put p = new Put(TEST_ROW1);
+          p.add(TEST_FAMILY, TEST_Q1, ZERO);
+          p.add(TEST_FAMILY, TEST_Q2, ZERO);
+          p.setACL(user1.getShortName(), new Permission(Permission.Action.READ,
+              Permission.Action.WRITE));
+          t.put(p);
+          // with rw ACL for "user1"
+          p = new Put(TEST_ROW2);
+          p.add(TEST_FAMILY, TEST_Q1, ZERO);
+          p.add(TEST_FAMILY, TEST_Q2, ZERO);
+          p.setACL(user1.getShortName(), new Permission(Permission.Action.READ,
+              Permission.Action.WRITE));
+          t.put(p);
+        } finally {
+          t.close();
+        }
+        return null;
+      }
+    }, USER_OWNER);
+
+    verifyAllowed(new AccessTestAction() {
+      @Override
+      public Object run() throws Exception {
+        HTable t = new HTable(conf, TEST_TABLE.getTableName());
+        try {
+          // with rw ACL for "user1" and "user2"
+          Put p = new Put(TEST_ROW1);
+          p.add(TEST_FAMILY, TEST_Q1, ZERO);
+          p.add(TEST_FAMILY, TEST_Q2, ZERO);
+          Map<String, Permission> perms = new HashMap<String, Permission>();
+          perms.put(user1.getShortName(), new Permission(Permission.Action.READ,
+              Permission.Action.WRITE));
+          perms.put(user2.getShortName(), new Permission(Permission.Action.READ,
+              Permission.Action.WRITE));
+          p.setACL(perms);
+          t.put(p);
+          // with rw ACL for "user1" and "user2"
+          p = new Put(TEST_ROW2);
+          p.add(TEST_FAMILY, TEST_Q1, ZERO);
+          p.add(TEST_FAMILY, TEST_Q2, ZERO);
+          p.setACL(perms);
+          t.put(p);
+        } finally {
+          t.close();
+        }
+        return null;
+      }
+    }, user1);
+
+    // user1 should be allowed to delete TEST_ROW1 as he is having write permission on both
+    // versions of the cells
+    user1.runAs(new PrivilegedExceptionAction<Void>() {
+      @Override
+      public Void run() throws Exception {
+        HTable t = new HTable(conf, TEST_TABLE.getTableName());
+        try {
+          Delete d = new Delete(TEST_ROW1);
+          d.deleteColumns(TEST_FAMILY, TEST_Q1);
+          d.deleteColumns(TEST_FAMILY, TEST_Q2);
+          t.delete(d);
+        } finally {
+          t.close();
+        }
+        return null;
+      }
+    });
+    // user2 should not be allowed to delete TEST_ROW2 as he is having write permission only
on one
+    // version of the cells.
+    user2.runAs(new PrivilegedExceptionAction<Void>() {
+      @Override
+      public Void run() throws Exception {
+        HTable t = new HTable(conf, TEST_TABLE.getTableName());
+        try {
+          Delete d = new Delete(TEST_ROW2);
+          d.deleteColumns(TEST_FAMILY, TEST_Q1);
+          d.deleteColumns(TEST_FAMILY, TEST_Q2);
+          t.delete(d);
+          fail("user2 should not be allowed to delete the row");
+        } catch (Exception e) {
+
+        } finally {
+          t.close();
+        }
+        return null;
+      }
+    });
+  }
+
+  @Test
   public void testGrantRevoke() throws Exception {
     AccessTestAction grantAction = new AccessTestAction() {
       @Override



Mime
View raw message