This is an automated email from the ASF dual-hosted git repository.
ctubbsii pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/main by this push:
new cfd8d44 Check namespace perm for fast-failure in InputConfigurator
(#1693)
cfd8d44 is described below
commit cfd8d4481f16880e17e2f5a3247628ab9d409f88
Author: tynyttie <ty_barnes_j...@yahoo.com>
AuthorDate: Tue Sep 1 11:54:59 2020 -0400
Check namespace perm for fast-failure in InputConfigurator (#1693)
---
.../mapreduce/lib/InputConfigurator.java | 24 ++++++++++++++++++--
.../org/apache/accumulo/test/NamespacesIT.java | 26 ++++++++++++++++++++++
2 files changed, 48 insertions(+), 2 deletions(-)
diff --git
a/hadoop-mapreduce/src/main/java/org/apache/accumulo/hadoopImpl/mapreduce/lib/InputConfigurator.java
b/hadoop-mapreduce/src/main/java/org/apache/accumulo/hadoopImpl/mapreduce/lib/InputConfigurator.java
index 1e6d3e0..9155235 100644
---
a/hadoop-mapreduce/src/main/java/org/apache/accumulo/hadoopImpl/mapreduce/lib/InputConfigurator.java
+++
b/hadoop-mapreduce/src/main/java/org/apache/accumulo/hadoopImpl/mapreduce/lib/InputConfigurator.java
@@ -67,6 +67,7 @@ import org.apache.accumulo.core.metadata.MetadataTable;
import org.apache.accumulo.core.metadata.schema.MetadataSchema;
import org.apache.accumulo.core.sample.impl.SamplerConfigurationImpl;
import org.apache.accumulo.core.security.Authorizations;
+import org.apache.accumulo.core.security.NamespacePermission;
import org.apache.accumulo.core.security.TablePermission;
import org.apache.accumulo.core.util.Pair;
import org.apache.accumulo.core.util.TextUtil;
@@ -717,6 +718,15 @@ public class InputConfigurator extends ConfiguratorBase {
}
}
+ private static String extractNamespace(final String tableName) {
+ final int delimiterPos = tableName.indexOf('.');
+ if (delimiterPos < 1) {
+ return ""; // default namespace
+ } else {
+ return tableName.substring(0, delimiterPos);
+ }
+ }
+
/**
* Validates that the user has permissions on the requested tables
*
@@ -731,6 +741,7 @@ public class InputConfigurator extends ConfiguratorBase {
public static void validatePermissions(Class<?> implementingClass,
Configuration conf,
AccumuloClient client) throws IOException {
Map<String,InputTableConfig> inputTableConfigs =
getInputTableConfigs(implementingClass, conf);
+
try {
if (getInputTableConfigs(implementingClass, conf).isEmpty())
throw new IOException("No table set.");
@@ -739,10 +750,19 @@ public class InputConfigurator extends ConfiguratorBase {
String principal = ClientProperty.AUTH_PRINCIPAL.getValue(props);
for (Map.Entry<String,InputTableConfig> tableConfig :
inputTableConfigs.entrySet()) {
- if (!client.securityOperations().hasTablePermission(principal,
tableConfig.getKey(),
- TablePermission.READ))
+
+ final String tableName = tableConfig.getKey();
+ final String namespace = extractNamespace(tableName);
+ final boolean hasTableRead =
client.securityOperations().hasTablePermission(principal,
+ tableName, TablePermission.READ);
+ final boolean hasNamespaceRead = client.securityOperations()
+ .hasNamespacePermission(principal, namespace,
NamespacePermission.READ);
+
+ if (!hasTableRead && !hasNamespaceRead) {
throw new IOException("Unable to access table");
+ }
}
+
for (Map.Entry<String,InputTableConfig> tableConfigEntry :
inputTableConfigs.entrySet()) {
InputTableConfig tableConfig = tableConfigEntry.getValue();
if (!tableConfig.shouldUseLocalIterators()) {
diff --git a/test/src/main/java/org/apache/accumulo/test/NamespacesIT.java
b/test/src/main/java/org/apache/accumulo/test/NamespacesIT.java
index 4a5eda1..c40a271 100644
--- a/test/src/main/java/org/apache/accumulo/test/NamespacesIT.java
+++ b/test/src/main/java/org/apache/accumulo/test/NamespacesIT.java
@@ -964,6 +964,32 @@ public class NamespacesIT extends SharedMiniClusterBase {
}
@Test
+ public void validatePermissions() throws Exception {
+ // Create namespace.
+ c.namespaceOperations().create(namespace);
+
+ assertTrue(c.securityOperations().hasNamespacePermission(c.whoami(),
namespace,
+ NamespacePermission.READ));
+ c.securityOperations().revokeNamespacePermission(c.whoami(), namespace,
+ NamespacePermission.READ);
+ assertFalse(c.securityOperations().hasNamespacePermission(c.whoami(),
namespace,
+ NamespacePermission.READ));
+ c.securityOperations().grantNamespacePermission(c.whoami(), namespace,
+ NamespacePermission.READ);
+ assertTrue(c.securityOperations().hasNamespacePermission(c.whoami(),
namespace,
+ NamespacePermission.READ));
+
+ c.namespaceOperations().delete(namespace);
+
+ assertSecurityException(SecurityErrorCode.NAMESPACE_DOESNT_EXIST, () ->
c.securityOperations()
+ .hasNamespacePermission(c.whoami(), namespace,
NamespacePermission.READ));
+ assertSecurityException(SecurityErrorCode.NAMESPACE_DOESNT_EXIST, () ->
c.securityOperations()
+ .grantNamespacePermission(c.whoami(), namespace,
NamespacePermission.READ));
+ assertSecurityException(SecurityErrorCode.NAMESPACE_DOESNT_EXIST, () ->
c.securityOperations()
+ .revokeNamespacePermission(c.whoami(), namespace,
NamespacePermission.READ));
+ }
+
+ @Test
public void verifyTableOperationsExceptions() throws Exception {
String tableName = namespace + ".1";
IteratorSetting setting = new IteratorSetting(200,
VersioningIterator.class);
