[
https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated HBASE-25432:
--------------------------
Description:
list_namespace_tables miss security check.
listTableDescriptorsByNamespace has security check, but it is useless.
code of listTableDescriptorsByNamespace is
{code:java}
public List<TableDescriptor> listTableDescriptorsByNamespace(String name)
throws IOException {
checkInitialized();
return listTableDescriptors(name, null, null, true);
}
{code}
listTableDescriptors code is
{code:java}
public List<TableDescriptor> listTableDescriptors(final String namespace,
final String regex,
final List<TableName> tableNameList, final boolean includeSysTables)
throws IOException {
List<TableDescriptor> htds = new ArrayList<>();
if (cpHost != null) {
cpHost.preGetTableDescriptors(tableNameList, htds, regex);
}
htds = getTableDescriptors(htds, namespace, regex, tableNameList,
includeSysTables);
if (cpHost != null) {
cpHost.postGetTableDescriptors(tableNameList, htds, regex);
}
return htds;
}
{code}
we can see that tableNameList is empty.
in the AccessController, empty tableNameList is empty:
{code:java}
public void
preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
List<TableName> tableNamesList, List<TableDescriptor> descriptors,
String regex) throws IOException {
// We are delegating the authorization check to postGetTableDescriptors as
we don't have
// any concrete set of table names when a regex is present or the full list
is requested.
if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) {
// Otherwise, if the requestor has ADMIN or CREATE privs for all listed
tables, the
// request can be granted.
try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
for (TableName tableName : tableNamesList) {
// Skip checks for a table that does not exist
if (!admin.tableExists(tableName)) {
continue;
}
requirePermission(ctx, "getTableDescriptors", tableName, null, null,
Action.ADMIN,
Action.CREATE);
}
}
}
}
{code}
was:
list_namespace_tables miss security check.
Even
> we should add security checks for list_namespace_tables and fix securiry hole
> in listTableDescriptorsByNamespace
> ----------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-25432
> URL: https://issues.apache.org/jira/browse/HBASE-25432
> Project: HBase
> Issue Type: Bug
> Reporter: lujie
> Priority: Major
>
> list_namespace_tables miss security check.
> listTableDescriptorsByNamespace has security check, but it is useless.
> code of listTableDescriptorsByNamespace is
>
> {code:java}
> public List<TableDescriptor> listTableDescriptorsByNamespace(String name)
> throws IOException {
> checkInitialized();
> return listTableDescriptors(name, null, null, true);
> }
> {code}
> listTableDescriptors code is
> {code:java}
> public List<TableDescriptor> listTableDescriptors(final String namespace,
> final String regex,
> final List<TableName> tableNameList, final boolean includeSysTables)
> throws IOException {
> List<TableDescriptor> htds = new ArrayList<>();
> if (cpHost != null) {
> cpHost.preGetTableDescriptors(tableNameList, htds, regex);
> }
> htds = getTableDescriptors(htds, namespace, regex, tableNameList,
> includeSysTables);
> if (cpHost != null) {
> cpHost.postGetTableDescriptors(tableNameList, htds, regex);
> }
> return htds;
> }
> {code}
> we can see that tableNameList is empty.
> in the AccessController, empty tableNameList is empty:
> {code:java}
> public void
> preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
> List<TableName> tableNamesList, List<TableDescriptor> descriptors,
> String regex) throws IOException {
> // We are delegating the authorization check to postGetTableDescriptors
> as we don't have
> // any concrete set of table names when a regex is present or the full
> list is requested.
> if (regex == null && tableNamesList != null && !tableNamesList.isEmpty())
> {
> // Otherwise, if the requestor has ADMIN or CREATE privs for all listed
> tables, the
> // request can be granted.
> try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
> for (TableName tableName : tableNamesList) {
> // Skip checks for a table that does not exist
> if (!admin.tableExists(tableName)) {
> continue;
> }
> requirePermission(ctx, "getTableDescriptors", tableName, null,
> null, Action.ADMIN,
> Action.CREATE);
> }
> }
> }
> }
> {code}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
