[jira] [Updated] (HBASE-25432) we should add security checks for list_namespace_tables

Mon, 21 Dec 2020 23:53:05 -0800 


     [ 
https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated HBASE-25432:
--------------------------
    Summary: we should add security checks for list_namespace_tables  (was: we 
should add security checks for list_namespace_tables and fix securiry hole in 
listTableDescriptorsByNamespace)

> we should add security checks for list_namespace_tables
> -------------------------------------------------------
>
>                 Key: HBASE-25432
>                 URL: https://issues.apache.org/jira/browse/HBASE-25432
>             Project: HBase
>          Issue Type: Bug
>            Reporter: lujie
>            Priority: Major
>
> list_namespace_tables miss security check. 
> listTableDescriptorsByNamespace has security check, but it is useless.
> code of listTableDescriptorsByNamespace is
>  
> {code:java}
>   public List<TableDescriptor> listTableDescriptorsByNamespace(String name) 
> throws IOException {
>     checkInitialized();
>     return listTableDescriptors(name, null, null, true);
>  }
> {code}
> listTableDescriptors code is
> {code:java}
>   public List<TableDescriptor> listTableDescriptors(final String namespace, 
> final String regex,
>       final List<TableName> tableNameList, final boolean includeSysTables)
>   throws IOException {
>     List<TableDescriptor> htds = new ArrayList<>();
>     if (cpHost != null) {
>       cpHost.preGetTableDescriptors(tableNameList, htds, regex);
>     }
>     htds = getTableDescriptors(htds, namespace, regex, tableNameList, 
> includeSysTables);
>     if (cpHost != null) {
>       cpHost.postGetTableDescriptors(tableNameList, htds, regex);
>     }
>     return htds;
>   }
> {code}
>  we can see that tableNameList is empty.
> in the AccessController, empty tableNameList is empty:
> {code:java}
>  public void 
> preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,
>        List<TableName> tableNamesList, List<TableDescriptor> descriptors,
>        String regex) throws IOException {
>     // We are delegating the authorization check to postGetTableDescriptors 
> as we don't have
>     // any concrete set of table names when a regex is present or the full 
> list is requested.
>     if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) 
> {
>       // Otherwise, if the requestor has ADMIN or CREATE privs for all listed 
> tables, the
>       // request can be granted.
>       try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
>         for (TableName tableName : tableNamesList) {
>           // Skip checks for a table that does not exist
>           if (!admin.tableExists(tableName)) {
>             continue;
>           }
>           requirePermission(ctx, "getTableDescriptors", tableName, null, 
> null, Action.ADMIN,
>             Action.CREATE);
>         }
>       }
>     }
>   }
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to