hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From te...@apache.org
Subject hbase git commit: HBASE-14809 Grant / revoke Namespace admin permission to group
Date Mon, 16 Nov 2015 17:32:16 GMT
Repository: hbase
Updated Branches:
  refs/heads/branch-1 b7a4c5f5d -> 47d59288a


HBASE-14809 Grant / revoke Namespace admin permission to group


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/47d59288
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/47d59288
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/47d59288

Branch: refs/heads/branch-1
Commit: 47d59288a7339b8a067ed7f1837113726794a57e
Parents: b7a4c5f
Author: tedyu <yuzhihong@gmail.com>
Authored: Mon Nov 16 09:32:11 2015 -0800
Committer: tedyu <yuzhihong@gmail.com>
Committed: Mon Nov 16 09:32:11 2015 -0800

----------------------------------------------------------------------
 .../hbase/security/access/AccessController.java |  4 +-
 .../security/access/TestNamespaceCommands.java  | 72 ++++++++++++++++++--
 2 files changed, 67 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/47d59288/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 001252a..9c37a88 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -2221,7 +2221,7 @@ public class AccessController extends BaseMasterAndRegionObserver
               perm.getQualifier(), Action.ADMIN);
             break;
           case Namespace :
-            requireGlobalPermission("grant", Action.ADMIN, perm.getNamespace());
+            requireNamespacePermission("grant", perm.getNamespace(), Action.ADMIN);
            break;
         }
 
@@ -2272,7 +2272,7 @@ public class AccessController extends BaseMasterAndRegionObserver
               perm.getQualifier(), Action.ADMIN);
             break;
           case Namespace :
-            requireGlobalPermission("revoke", Action.ADMIN, perm.getNamespace());
+            requireNamespacePermission("revoke", perm.getNamespace(), Action.ADMIN);
             break;
         }
 

http://git-wip-us.apache.org/repos/asf/hbase/blob/47d59288/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 4af918d..064daa2 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -23,7 +23,10 @@ import static org.junit.Assert.assertTrue;
 
 import java.util.List;
 import java.util.Arrays;
+import java.util.Map;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseTestingUtility;
 import org.apache.hadoop.hbase.HColumnDescriptor;
@@ -56,6 +59,7 @@ import com.google.protobuf.BlockingRpcChannel;
 @Category(MediumTests.class)
 public class TestNamespaceCommands extends SecureTestUtil {
   private static HBaseTestingUtility UTIL = new HBaseTestingUtility();
+  private static final Log LOG = LogFactory.getLog(TestNamespaceCommands.class);
   private static String TEST_NAMESPACE = "ns1";
   private static String TEST_NAMESPACE2 = "ns2";
   private static Configuration conf;
@@ -93,11 +97,13 @@ public class TestNamespaceCommands extends SecureTestUtil {
   private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
 
   private static final String GROUP_ADMIN = "group_admin";
+  private static final String GROUP_NS_ADMIN = "group_ns_admin";
   private static final String GROUP_CREATE = "group_create";
   private static final String GROUP_READ = "group_read";
   private static final String GROUP_WRITE = "group_write";
 
   private static User USER_GROUP_ADMIN;
+  private static User USER_GROUP_NS_ADMIN;
   private static User USER_GROUP_CREATE;
   private static User USER_GROUP_READ;
   private static User USER_GROUP_WRITE;
@@ -130,6 +136,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
 
     USER_GROUP_ADMIN =
         User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+    USER_GROUP_NS_ADMIN =
+        User.createUserForTesting(conf, "user_group_ns_admin", new String[] { GROUP_NS_ADMIN
});
     USER_GROUP_CREATE =
         User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE
});
     USER_GROUP_READ =
@@ -162,6 +170,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
     grantOnNamespace(UTIL, USER_NS_WRITE.getShortName(),  TEST_NAMESPACE, Permission.Action.WRITE);
     grantOnNamespace(UTIL, USER_NS_READ.getShortName(),   TEST_NAMESPACE, Permission.Action.READ);
     grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(),   TEST_NAMESPACE, Permission.Action.EXEC);
+    grantOnNamespace(UTIL, toGroupEntry(GROUP_NS_ADMIN), TEST_NAMESPACE, Permission.Action.ADMIN);
 
     grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
 
@@ -187,7 +196,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
           AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
 
       perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
-      assertEquals(5, perms.size());
+      for (Map.Entry<String, TablePermission> entry : perms.entries()) {
+        LOG.debug(entry);
+      }
+      assertEquals(6, perms.size());
 
       // Grant and check state in ACL table
       grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
@@ -196,7 +208,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
       Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
       assertTrue(result != null);
       perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
-      assertEquals(6, perms.size());
+      assertEquals(7, perms.size());
       List<TablePermission> namespacePerms = perms.get(userTestNamespace);
       assertTrue(perms.containsKey(userTestNamespace));
       assertEquals(1, namespacePerms.size());
@@ -212,7 +224,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
         Permission.Action.WRITE);
 
       perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
-      assertEquals(5, perms.size());
+      assertEquals(6, perms.size());
     }
   }
 
@@ -350,6 +362,21 @@ public class TestNamespaceCommands extends SecureTestUtil {
       }
     };
 
+    AccessTestAction grantNamespaceAction = new AccessTestAction() {
+      @Override
+      public Object run() throws Exception {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+          BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
+          AccessControlService.BlockingInterface protocol =
+            AccessControlService.newBlockingStub(service);
+          ProtobufUtil.grant(protocol, USER_GROUP_NS_ADMIN.getShortName(),
+            TEST_NAMESPACE, Action.READ);
+        }
+        return null;
+      }
+    };
+
     AccessTestAction revokeAction = new AccessTestAction() {
       public Object run() throws Exception {
         try(Connection conn = ConnectionFactory.createConnection(conf);
@@ -364,6 +391,25 @@ public class TestNamespaceCommands extends SecureTestUtil {
       }
     };
 
+    AccessTestAction revokeNamespaceAction = new AccessTestAction() {
+      public Object run() throws Exception {
+        Connection connection = ConnectionFactory.createConnection(conf);
+        Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME);
+        try {
+          BlockingRpcChannel service =
+              acl.coprocessorService(HConstants.EMPTY_START_ROW);
+          AccessControlService.BlockingInterface protocol =
+            AccessControlService.newBlockingStub(service);
+          ProtobufUtil.revoke(protocol, USER_GROUP_NS_ADMIN.getShortName(),
+            TEST_NAMESPACE, Action.READ);
+        } finally {
+          acl.close();
+          connection.close();
+        }
+        return null;
+      }
+    };
+
     AccessTestAction getPermissionsAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
@@ -378,14 +424,26 @@ public class TestNamespaceCommands extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+    verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
     verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
-      USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
 
-    verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+    verifyAllowed(grantNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN,
+      USER_NS_ADMIN, USER_GROUP_NS_ADMIN);
+    verifyDenied(grantNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+      USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+    verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
     verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
-      USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+    verifyAllowed(revokeNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN,
+      USER_NS_ADMIN, USER_GROUP_NS_ADMIN);
+    verifyDenied(revokeNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+      USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
 
     verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,


Mime
View raw message