hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject [4/4] hbase git commit: HBASE-12348 preModifyColumn and preDeleteColumn in AC denies user to perform its operation though it has required rights
Date Tue, 16 Dec 2014 02:29:14 GMT
HBASE-12348 preModifyColumn and preDeleteColumn in AC denies user to perform its operation
though it has required rights

Signed-off-by: Andrew Purtell <apurtell@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/b5f645e0
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/b5f645e0
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/b5f645e0

Branch: refs/heads/0.98
Commit: b5f645e02dc310d59379fcda2519ab82b4403332
Parents: 4fcde44
Author: Ashish Singhi <ashish.singhi@huawei.com>
Authored: Mon Dec 15 17:43:35 2014 -0800
Committer: Andrew Purtell <apurtell@apache.org>
Committed: Mon Dec 15 17:44:09 2014 -0800

----------------------------------------------------------------------
 .../hbase/security/access/AccessController.java      |  5 +++--
 .../hbase/security/access/TestAccessController.java  | 15 +++++++++++----
 2 files changed, 14 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/b5f645e0/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 506acee..a28884c 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -1022,13 +1022,14 @@ public class AccessController extends BaseMasterAndRegionObserver
   @Override
   public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName
tableName,
       HColumnDescriptor descriptor) throws IOException {
-    requirePermission("modifyColumn", tableName, null, null, Action.ADMIN, Action.CREATE);
+    requirePermission("modifyColumn", tableName, descriptor.getName(), null, Action.ADMIN,
+      Action.CREATE);
   }
 
   @Override
   public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c, TableName
tableName,
       byte[] col) throws IOException {
-    requirePermission("deleteColumn", tableName, null, null, Action.ADMIN, Action.CREATE);
+    requirePermission("deleteColumn", tableName, col, null, Action.ADMIN, Action.CREATE);
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/hbase/blob/b5f645e0/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 36e3bce..e10e0f1 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -147,6 +147,8 @@ public class TestAccessController extends SecureTestUtil {
   private static User USER_CREATE;
   // user with no permissions
   private static User USER_NONE;
+  // user with admin rights on the column family
+  private static User USER_ADMIN_CF;
 
   // TODO: convert this test to cover the full matrix in
   // https://hbase.apache.org/book/appendix_acl_matrix.html
@@ -204,6 +206,7 @@ public class TestAccessController extends SecureTestUtil {
     USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
     USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]);
     USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
+    USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
   }
 
   @AfterClass
@@ -252,9 +255,13 @@ public class TestAccessController extends SecureTestUtil {
       TEST_TABLE.getTableName(), TEST_FAMILY, null,
       Permission.Action.READ);
 
-    assertEquals(4, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
+    grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(),
+      TEST_TABLE.getTableName(), TEST_FAMILY,
+      null, Permission.Action.ADMIN);
+
+    assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
     try {
-      assertEquals(4, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size());
+      assertEquals(5, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size());
     } catch (Throwable e) {
       LOG.error("error during call of AccessControlClient.getUserPermissions. " + e.getStackTrace());
     }
@@ -369,7 +376,7 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
     verifyDenied(action, USER_RW, USER_RO, USER_NONE);
   }
 
@@ -384,7 +391,7 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
     verifyDenied(action, USER_RW, USER_RO, USER_NONE);
   }
 


Mime
View raw message