Return-Path: X-Original-To: apmail-hbase-commits-archive@www.apache.org Delivered-To: apmail-hbase-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1E9C010069 for ; Thu, 4 Dec 2014 16:06:44 +0000 (UTC) Received: (qmail 70967 invoked by uid 500); 4 Dec 2014 16:06:43 -0000 Delivered-To: apmail-hbase-commits-archive@hbase.apache.org Received: (qmail 70802 invoked by uid 500); 4 Dec 2014 16:06:43 -0000 Mailing-List: contact commits-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hbase.apache.org Delivered-To: mailing list commits@hbase.apache.org Received: (qmail 70780 invoked by uid 99); 4 Dec 2014 16:06:43 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Dec 2014 16:06:43 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 95BFDA1BEC9; Thu, 4 Dec 2014 16:06:43 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: mbertozzi@apache.org To: commits@hbase.apache.org Date: Thu, 04 Dec 2014 16:06:44 -0000 Message-Id: In-Reply-To: <26d708cd90c34a18a56a51f2a3113df0@git.apache.org> References: <26d708cd90c34a18a56a51f2a3113df0@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/3] hbase git commit: HBASE-12634 Fix the AccessController#requireGlobalPermission(ns) with NS HBASE-12634 Fix the AccessController#requireGlobalPermission(ns) with NS Signed-off-by: Matteo Bertozzi Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/ffbfe01b Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/ffbfe01b Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/ffbfe01b Branch: refs/heads/branch-1 Commit: ffbfe01bbeb00d91f8df1ce6ddc041af9887dca7 Parents: bb07de1 Author: Ashish Singhi Authored: Thu Dec 4 15:57:01 2014 +0530 Committer: Matteo Bertozzi Committed: Thu Dec 4 15:35:53 2014 +0000 ---------------------------------------------------------------------- .../hbase/security/access/AccessController.java | 5 +- .../security/access/TestNamespaceCommands.java | 58 +++++++++++++++----- 2 files changed, 48 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/ffbfe01b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 7ab77a5..e106d7a 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -497,7 +497,8 @@ public class AccessController extends BaseMasterAndRegionObserver private void requireGlobalPermission(String request, Action perm, String namespace) throws IOException { User user = getActiveUser(); - if (authManager.authorize(user, perm)) { + if (authManager.authorize(user, perm) + || (namespace != null && authManager.authorize(user, namespace, perm))) { logResult(AuthResult.allow(request, "Global check allowed", user, perm, namespace)); } else { logResult(AuthResult.deny(request, "Global check failed", user, perm, namespace)); @@ -1125,7 +1126,7 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preCreateNamespace(ObserverContext ctx, NamespaceDescriptor ns) throws IOException { - requireGlobalPermission("createNamespace", Action.ADMIN, ns.getName()); + requirePermission("createNamespace", Action.ADMIN); } @Override http://git-wip-us.apache.org/repos/asf/hbase/blob/ffbfe01b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 56b3814..5ed56ef 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -22,9 +22,6 @@ import static org.junit.Assert.assertTrue; import java.util.List; -import com.google.common.collect.ListMultimap; -import com.google.protobuf.BlockingRpcChannel; - import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HColumnDescriptor; @@ -49,15 +46,14 @@ import org.junit.BeforeClass; import org.junit.Test; import org.junit.experimental.categories.Category; -import java.util.List; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; +import com.google.common.collect.ListMultimap; +import com.google.protobuf.BlockingRpcChannel; @Category(MediumTests.class) public class TestNamespaceCommands extends SecureTestUtil { private static HBaseTestingUtility UTIL = new HBaseTestingUtility(); private static String TestNamespace = "ns1"; + private static String TestNamespace2 = "ns2"; private static Configuration conf; private static MasterCoprocessorEnvironment CP_ENV; private static AccessController ACCESS_CONTROLLER; @@ -70,6 +66,8 @@ public class TestNamespaceCommands extends SecureTestUtil { private static User USER_CREATE; // user with permission on namespace for testing all operations. private static User USER_NSP_WRITE; + // user with admin permission on namespace. + private static User USER_NSP_ADMIN; private static String TEST_TABLE = TestNamespace + ":testtable"; private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); @@ -83,6 +81,7 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_RW = User.createUserForTesting(conf, "rw_user", new String[0]); USER_CREATE = User.createUserForTesting(conf, "create_user", new String[0]); USER_NSP_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]); + USER_NSP_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]); UTIL.startMiniCluster(); // Wait for the ACL table to become available @@ -93,14 +92,19 @@ public class TestNamespaceCommands extends SecureTestUtil { .findCoprocessor(AccessController.class.getName()); UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build()); + UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace2).build()); grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(), TestNamespace, Permission.Action.WRITE, Permission.Action.CREATE); + + grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TestNamespace, Permission.Action.ADMIN); + grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TestNamespace2, Permission.Action.ADMIN); } @AfterClass public static void afterClass() throws Exception { UTIL.getHBaseAdmin().deleteNamespace(TestNamespace); + UTIL.getHBaseAdmin().deleteNamespace(TestNamespace2); UTIL.shutdownMiniCluster(); } @@ -117,7 +121,7 @@ public class TestNamespaceCommands extends SecureTestUtil { assertTrue(result != null); ListMultimap perms = AccessControlLists.getNamespacePermissions(conf, TestNamespace); - assertEquals(2, perms.size()); + assertEquals(3, perms.size()); List namespacePerms = perms.get(userTestNamespace); assertTrue(perms.containsKey(userTestNamespace)); assertEquals(1, namespacePerms.size()); @@ -133,7 +137,7 @@ public class TestNamespaceCommands extends SecureTestUtil { Permission.Action.WRITE); perms = AccessControlLists.getNamespacePermissions(conf, TestNamespace); - assertEquals(1, perms.size()); + assertEquals(2, perms.size()); } finally { acl.close(); } @@ -149,12 +153,40 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; // verify that superuser or hbase admin can modify namespaces. - verifyAllowed(modifyNamespace, SUPERUSER); + verifyAllowed(modifyNamespace, SUPERUSER, USER_NSP_ADMIN); // all others should be denied verifyDenied(modifyNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW); } @Test + public void testCreateAndDeleteNamespace() throws Exception { + AccessTestAction createNamespace = new AccessTestAction() { + public Object run() throws Exception { + ACCESS_CONTROLLER.preCreateNamespace(ObserverContext.createAndPrepare(CP_ENV, null), + NamespaceDescriptor.create(TestNamespace2).build()); + return null; + } + }; + + AccessTestAction deleteNamespace = new AccessTestAction() { + public Object run() throws Exception { + ACCESS_CONTROLLER.preDeleteNamespace(ObserverContext.createAndPrepare(CP_ENV, null), + TestNamespace2); + return null; + } + }; + + // verify that only superuser can create namespaces. + verifyAllowed(createNamespace, SUPERUSER); + // verify that superuser or hbase admin can delete namespaces. + verifyAllowed(deleteNamespace, SUPERUSER, USER_NSP_ADMIN); + + // all others should be denied + verifyDenied(createNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_NSP_ADMIN); + verifyDenied(deleteNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW); + } + + @Test public void testGrantRevoke() throws Exception{ final String testUser = "testUser"; @@ -194,10 +226,10 @@ public class TestNamespaceCommands extends SecureTestUtil { // Only HBase super user should be able to grant and revoke permissions to // namespaces - verifyAllowed(grantAction, SUPERUSER); + verifyAllowed(grantAction, SUPERUSER, USER_NSP_ADMIN); verifyDenied(grantAction, USER_CREATE, USER_RW); - verifyAllowed(revokeAction, SUPERUSER); - verifyDenied(revokeAction, USER_CREATE, USER_RW); + verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN); + verifyDenied(revokeAction, USER_CREATE, USER_RW); } @Test