HBASE-12098 User granted namespace table create permissions can't create a table (Srikanth Srungarapu)
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/469bfdf9 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/469bfdf9 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/469bfdf9 Branch: refs/heads/branch-1 Commit: 469bfdf95afbef001e9c47b40efd0c42a1a25a46 Parents: f719b57 Author: Matteo Bertozzi <[email protected]> Authored: Tue Sep 30 19:10:00 2014 +0100 Committer: Matteo Bertozzi <[email protected]> Committed: Tue Sep 30 19:13:45 2014 +0100 ---------------------------------------------------------------------- .../hbase/security/access/AccessController.java | 3 +- .../security/access/TestNamespaceCommands.java | 39 +++++++++++++++++--- 2 files changed, 36 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/469bfdf9/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 975651e..3e5635a 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -485,7 +485,8 @@ public class AccessController extends BaseMasterAndRegionObserver private void requireGlobalPermission(String request, Action perm, TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException { User user = getActiveUser(); - if (authManager.authorize(user, perm)) { + if (authManager.authorize(user, perm) || (tableName != null && + authManager.authorize(user, tableName.getNamespaceAsString(), perm))) { logResult(AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap)); } else { logResult(AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap)); http://git-wip-us.apache.org/repos/asf/hbase/blob/469bfdf9/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index b1884e9..56b3814 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -22,11 +22,17 @@ import static org.junit.Assert.assertTrue; import java.util.List; +import com.google.common.collect.ListMultimap; +import com.google.protobuf.BlockingRpcChannel; + import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseTestingUtility; +import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HConstants; -import org.apache.hadoop.hbase.MediumTests; +import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.NamespaceDescriptor; +import org.apache.hadoop.hbase.MediumTests; +import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.client.Get; import org.apache.hadoop.hbase.client.HTable; import org.apache.hadoop.hbase.client.Result; @@ -38,14 +44,15 @@ import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessCont import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.access.Permission.Action; import org.apache.hadoop.hbase.util.Bytes; - import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; import org.junit.experimental.categories.Category; -import com.google.common.collect.ListMultimap; -import com.google.protobuf.BlockingRpcChannel; +import java.util.List; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; @Category(MediumTests.class) public class TestNamespaceCommands extends SecureTestUtil { @@ -63,6 +70,9 @@ public class TestNamespaceCommands extends SecureTestUtil { private static User USER_CREATE; // user with permission on namespace for testing all operations. private static User USER_NSP_WRITE; + + private static String TEST_TABLE = TestNamespace + ":testtable"; + private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); @BeforeClass public static void beforeClass() throws Exception { @@ -85,7 +95,7 @@ public class TestNamespaceCommands extends SecureTestUtil { UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build()); grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(), - TestNamespace, Permission.Action.WRITE); + TestNamespace, Permission.Action.WRITE, Permission.Action.CREATE); } @AfterClass @@ -189,4 +199,23 @@ public class TestNamespaceCommands extends SecureTestUtil { verifyAllowed(revokeAction, SUPERUSER); verifyDenied(revokeAction, USER_CREATE, USER_RW); } + + @Test + public void testCreateTableWithNamespace() throws Exception { + AccessTestAction createTable = new AccessTestAction() { + @Override + public Object run() throws Exception { + HTableDescriptor htd = new HTableDescriptor(TableName.valueOf(TEST_TABLE)); + htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); + ACCESS_CONTROLLER.preCreateTable(ObserverContext.createAndPrepare(CP_ENV, null), htd, null); + return null; + } + }; + + // Only users with create permissions on namespace should be able to create a new table + verifyAllowed(createTable, SUPERUSER, USER_NSP_WRITE); + + // all others should be denied + verifyDenied(createTable, USER_CREATE, USER_RW); + } }
