This is an automated email from the ASF dual-hosted git repository. ctubbsii pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/main by this push: new cfd8d44 Check namespace perm for fast-failure in InputConfigurator (#1693) cfd8d44 is described below commit cfd8d4481f16880e17e2f5a3247628ab9d409f88 Author: tynyttie <ty_barnes_j...@yahoo.com> AuthorDate: Tue Sep 1 11:54:59 2020 -0400 Check namespace perm for fast-failure in InputConfigurator (#1693) --- .../mapreduce/lib/InputConfigurator.java | 24 ++++++++++++++++++-- .../org/apache/accumulo/test/NamespacesIT.java | 26 ++++++++++++++++++++++ 2 files changed, 48 insertions(+), 2 deletions(-) diff --git a/hadoop-mapreduce/src/main/java/org/apache/accumulo/hadoopImpl/mapreduce/lib/InputConfigurator.java b/hadoop-mapreduce/src/main/java/org/apache/accumulo/hadoopImpl/mapreduce/lib/InputConfigurator.java index 1e6d3e0..9155235 100644 --- a/hadoop-mapreduce/src/main/java/org/apache/accumulo/hadoopImpl/mapreduce/lib/InputConfigurator.java +++ b/hadoop-mapreduce/src/main/java/org/apache/accumulo/hadoopImpl/mapreduce/lib/InputConfigurator.java @@ -67,6 +67,7 @@ import org.apache.accumulo.core.metadata.MetadataTable; import org.apache.accumulo.core.metadata.schema.MetadataSchema; import org.apache.accumulo.core.sample.impl.SamplerConfigurationImpl; import org.apache.accumulo.core.security.Authorizations; +import org.apache.accumulo.core.security.NamespacePermission; import org.apache.accumulo.core.security.TablePermission; import org.apache.accumulo.core.util.Pair; import org.apache.accumulo.core.util.TextUtil; @@ -717,6 +718,15 @@ public class InputConfigurator extends ConfiguratorBase { } } + private static String extractNamespace(final String tableName) { + final int delimiterPos = tableName.indexOf('.'); + if (delimiterPos < 1) { + return ""; // default namespace + } else { + return tableName.substring(0, delimiterPos); + } + } + /** * Validates that the user has permissions on the requested tables * @@ -731,6 +741,7 @@ public class InputConfigurator extends ConfiguratorBase { public static void validatePermissions(Class<?> implementingClass, Configuration conf, AccumuloClient client) throws IOException { Map<String,InputTableConfig> inputTableConfigs = getInputTableConfigs(implementingClass, conf); + try { if (getInputTableConfigs(implementingClass, conf).isEmpty()) throw new IOException("No table set."); @@ -739,10 +750,19 @@ public class InputConfigurator extends ConfiguratorBase { String principal = ClientProperty.AUTH_PRINCIPAL.getValue(props); for (Map.Entry<String,InputTableConfig> tableConfig : inputTableConfigs.entrySet()) { - if (!client.securityOperations().hasTablePermission(principal, tableConfig.getKey(), - TablePermission.READ)) + + final String tableName = tableConfig.getKey(); + final String namespace = extractNamespace(tableName); + final boolean hasTableRead = client.securityOperations().hasTablePermission(principal, + tableName, TablePermission.READ); + final boolean hasNamespaceRead = client.securityOperations() + .hasNamespacePermission(principal, namespace, NamespacePermission.READ); + + if (!hasTableRead && !hasNamespaceRead) { throw new IOException("Unable to access table"); + } } + for (Map.Entry<String,InputTableConfig> tableConfigEntry : inputTableConfigs.entrySet()) { InputTableConfig tableConfig = tableConfigEntry.getValue(); if (!tableConfig.shouldUseLocalIterators()) { diff --git a/test/src/main/java/org/apache/accumulo/test/NamespacesIT.java b/test/src/main/java/org/apache/accumulo/test/NamespacesIT.java index 4a5eda1..c40a271 100644 --- a/test/src/main/java/org/apache/accumulo/test/NamespacesIT.java +++ b/test/src/main/java/org/apache/accumulo/test/NamespacesIT.java @@ -964,6 +964,32 @@ public class NamespacesIT extends SharedMiniClusterBase { } @Test + public void validatePermissions() throws Exception { + // Create namespace. + c.namespaceOperations().create(namespace); + + assertTrue(c.securityOperations().hasNamespacePermission(c.whoami(), namespace, + NamespacePermission.READ)); + c.securityOperations().revokeNamespacePermission(c.whoami(), namespace, + NamespacePermission.READ); + assertFalse(c.securityOperations().hasNamespacePermission(c.whoami(), namespace, + NamespacePermission.READ)); + c.securityOperations().grantNamespacePermission(c.whoami(), namespace, + NamespacePermission.READ); + assertTrue(c.securityOperations().hasNamespacePermission(c.whoami(), namespace, + NamespacePermission.READ)); + + c.namespaceOperations().delete(namespace); + + assertSecurityException(SecurityErrorCode.NAMESPACE_DOESNT_EXIST, () -> c.securityOperations() + .hasNamespacePermission(c.whoami(), namespace, NamespacePermission.READ)); + assertSecurityException(SecurityErrorCode.NAMESPACE_DOESNT_EXIST, () -> c.securityOperations() + .grantNamespacePermission(c.whoami(), namespace, NamespacePermission.READ)); + assertSecurityException(SecurityErrorCode.NAMESPACE_DOESNT_EXIST, () -> c.securityOperations() + .revokeNamespacePermission(c.whoami(), namespace, NamespacePermission.READ)); + } + + @Test public void verifyTableOperationsExceptions() throws Exception { String tableName = namespace + ".1"; IteratorSetting setting = new IteratorSetting(200, VersioningIterator.class);