ramkrishna.s.vasudevan created HBASE-11411:
----------------------------------------------
Summary: [AccessController] Cell level permissions were not
checked when using CELL_FIRST_STRATEGY
Key: HBASE-11411
URL: https://issues.apache.org/jira/browse/HBASE-11411
Project: HBase
Issue Type: Bug
Reporter: ramkrishna.s.vasudevan
Assignee: ramkrishna.s.vasudevan
In doing read operations with ACL we were checking there is read permission
granted on the table
{code}
AuthResult authResult = permissionGranted(opType, user, env, families,
Action.READ);
HRegion region = getRegion(env);
TableName table = getTableName(region);
Map<ByteRange, Integer> cfVsMaxVersions = Maps.newHashMap();
for (HColumnDescriptor hcd : region.getTableDesc().getFamilies()) {
cfVsMaxVersions.put(new SimpleByteRange(hcd.getName()),
hcd.getMaxVersions());
}
{code}
If there is no permission then we were checking for the type of cell level
permission
{code}
case CHECK_CELL_DEFAULT: {
if (authManager.authorize(user, table, family, qualifier,
Permission.Action.READ) ||
authManager.authorize(user, table, cell, Permission.Action.READ)) {
return ReturnCode.INCLUDE;
}
}
break;
// Cell permissions must authorize
case CHECK_CELL_FIRST: {
if (authManager.authorize(user, table, cell, Permission.Action.READ) &&
authManager.authorize(user, table, family, qualifier,
Permission.Action.READ)) {
return ReturnCode.INCLUDE;
}
{code}
For CELL_FIRST_STRATEGY
-> if the user had granted READ permission on the table itself then even if
cell level was not granting access we were able to read the cell.
->If table level READ permission was not there then the && condition was
failing from reading any cell even with READ permission.
The 2nd one was an intended behaviour but for the first one I think we should
see if really the cell was readable too.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
