hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mberto...@apache.org
Subject [3/3] hbase git commit: HBASE-12634 Fix the AccessController#requireGlobalPermission(ns) with NS
Date Thu, 04 Dec 2014 16:06:45 GMT
HBASE-12634 Fix the AccessController#requireGlobalPermission(ns) with NS

Signed-off-by: Matteo Bertozzi <matteo.bertozzi@cloudera.com>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/6c927313
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/6c927313
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/6c927313

Branch: refs/heads/0.98
Commit: 6c927313c5ac7275bce3f9cdc4d215db28264601
Parents: 769f93f
Author: Ashish Singhi <ashish.singhi@huawei.com>
Authored: Thu Dec 4 15:57:01 2014 +0530
Committer: Matteo Bertozzi <matteo.bertozzi@cloudera.com>
Committed: Thu Dec 4 15:42:02 2014 +0000

----------------------------------------------------------------------
 .../hbase/security/access/AccessController.java |  5 +-
 .../security/access/TestNamespaceCommands.java  | 58 +++++++++++++++-----
 2 files changed, 48 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/6c927313/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index ceb6eec..19709e6 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -496,7 +496,8 @@ public class AccessController extends BaseMasterAndRegionObserver
   private void requireGlobalPermission(String request, Action perm,
                                        String namespace) throws IOException {
     User user = getActiveUser();
-    if (authManager.authorize(user, perm)) {
+    if (authManager.authorize(user, perm)
+        || (namespace != null && authManager.authorize(user, namespace, perm))) {
       logResult(AuthResult.allow(request, "Global check allowed", user, perm, namespace));
     } else {
       logResult(AuthResult.deny(request, "Global check failed", user, perm, namespace));
@@ -1148,7 +1149,7 @@ public class AccessController extends BaseMasterAndRegionObserver
   @Override
   public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,
       NamespaceDescriptor ns) throws IOException {
-    requireGlobalPermission("createNamespace", Action.ADMIN, ns.getName());
+    requirePermission("createNamespace", Action.ADMIN);
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/hbase/blob/6c927313/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index a9601d5..6c53941 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -22,9 +22,6 @@ import static org.junit.Assert.assertTrue;
 
 import java.util.List;
 
-import com.google.common.collect.ListMultimap;
-import com.google.protobuf.BlockingRpcChannel;
-
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseTestingUtility;
 import org.apache.hadoop.hbase.HColumnDescriptor;
@@ -48,15 +45,14 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
-import java.util.List;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
+import com.google.common.collect.ListMultimap;
+import com.google.protobuf.BlockingRpcChannel;
 
 @Category(MediumTests.class)
 public class TestNamespaceCommands extends SecureTestUtil {
   private static HBaseTestingUtility UTIL = new HBaseTestingUtility();
   private static String TestNamespace = "ns1";
+  private static String TestNamespace2 = "ns2";
   private static Configuration conf;
   private static MasterCoprocessorEnvironment CP_ENV;
   private static AccessController ACCESS_CONTROLLER;
@@ -69,6 +65,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
   private static User USER_CREATE;
   // user with permission on namespace for testing all operations.
   private static User USER_NSP_WRITE;
+  // user with admin permission on namespace.
+  private static User USER_NSP_ADMIN;
 
   private static String TEST_TABLE = TestNamespace + ":testtable";
   private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
@@ -82,6 +80,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
     USER_RW = User.createUserForTesting(conf, "rw_user", new String[0]);
     USER_CREATE = User.createUserForTesting(conf, "create_user", new String[0]);
     USER_NSP_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]);
+    USER_NSP_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]);
 
     UTIL.startMiniCluster();
     // Wait for the ACL table to become available
@@ -92,14 +91,19 @@ public class TestNamespaceCommands extends SecureTestUtil {
         .findCoprocessor(AccessController.class.getName());
 
     UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build());
+    UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace2).build());
 
     grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(),
       TestNamespace, Permission.Action.WRITE, Permission.Action.CREATE);
+
+    grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TestNamespace, Permission.Action.ADMIN);
+    grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TestNamespace2, Permission.Action.ADMIN);
   }
   
   @AfterClass
   public static void afterClass() throws Exception {
     UTIL.getHBaseAdmin().deleteNamespace(TestNamespace);
+    UTIL.getHBaseAdmin().deleteNamespace(TestNamespace2);
     UTIL.shutdownMiniCluster();
   }
 
@@ -116,7 +120,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
       assertTrue(result != null);
       ListMultimap<String, TablePermission> perms =
           AccessControlLists.getNamespacePermissions(conf, TestNamespace);
-      assertEquals(2, perms.size());
+      assertEquals(3, perms.size());
       List<TablePermission> namespacePerms = perms.get(userTestNamespace);
       assertTrue(perms.containsKey(userTestNamespace));
       assertEquals(1, namespacePerms.size());
@@ -132,7 +136,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
         Permission.Action.WRITE);
 
       perms = AccessControlLists.getNamespacePermissions(conf, TestNamespace);
-      assertEquals(1, perms.size());
+      assertEquals(2, perms.size());
     } finally {
       acl.close();
     }
@@ -148,12 +152,40 @@ public class TestNamespaceCommands extends SecureTestUtil {
       }
     };
     // verify that superuser or hbase admin can modify namespaces.
-    verifyAllowed(modifyNamespace, SUPERUSER);
+    verifyAllowed(modifyNamespace, SUPERUSER, USER_NSP_ADMIN);
     // all others should be denied
     verifyDenied(modifyNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW);
   }
   
   @Test
+  public void testCreateAndDeleteNamespace() throws Exception {
+    AccessTestAction createNamespace = new AccessTestAction() {
+      public Object run() throws Exception {
+        ACCESS_CONTROLLER.preCreateNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
+          NamespaceDescriptor.create(TestNamespace2).build());
+        return null;
+      }
+    };
+
+    AccessTestAction deleteNamespace = new AccessTestAction() {
+      public Object run() throws Exception {
+        ACCESS_CONTROLLER.preDeleteNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
+          TestNamespace2);
+        return null;
+      }
+    };
+
+    // verify that only superuser can create namespaces.
+    verifyAllowed(createNamespace, SUPERUSER);
+ // verify that superuser or hbase admin can delete namespaces.
+    verifyAllowed(deleteNamespace, SUPERUSER, USER_NSP_ADMIN);
+
+    // all others should be denied
+    verifyDenied(createNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_NSP_ADMIN);
+    verifyDenied(deleteNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW);
+  }
+
+  @Test
   public void testGrantRevoke() throws Exception{
     final String testUser = "testUser";
 
@@ -193,10 +225,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
 
     // Only HBase super user should be able to grant and revoke permissions to
     // namespaces
-    verifyAllowed(grantAction, SUPERUSER);
+    verifyAllowed(grantAction, SUPERUSER, USER_NSP_ADMIN);
     verifyDenied(grantAction, USER_CREATE, USER_RW);
-    verifyAllowed(revokeAction, SUPERUSER);
-    verifyDenied(revokeAction, USER_CREATE, USER_RW);    
+    verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN);
+    verifyDenied(revokeAction, USER_CREATE, USER_RW);
   }
 
   @Test


Mime
View raw message