Repository: hbase Updated Branches: refs/heads/branch-1.2 f5cebbbaf -> c813146d1
HBASE-14809 Grant / revoke Namespace admin permission to group Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/c813146d Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/c813146d Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/c813146d Branch: refs/heads/branch-1.2 Commit: c813146d15e9bd264e6ade60ee0115e975768a4a Parents: f5cebbb Author: tedyu <yuzhih...@gmail.com> Authored: Mon Nov 16 09:35:14 2015 -0800 Committer: tedyu <yuzhih...@gmail.com> Committed: Mon Nov 16 09:35:14 2015 -0800 ---------------------------------------------------------------------- .../hbase/security/access/AccessController.java | 4 +- .../security/access/TestNamespaceCommands.java | 72 ++++++++++++++++++-- 2 files changed, 67 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/c813146d/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index dc66754..0f1a112 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -2165,7 +2165,7 @@ public class AccessController extends BaseMasterAndRegionObserver perm.getQualifier(), Action.ADMIN); break; case Namespace : - requireGlobalPermission("grant", Action.ADMIN, perm.getNamespace()); + requireNamespacePermission("grant", perm.getNamespace(), Action.ADMIN); break; } @@ -2216,7 +2216,7 @@ public class AccessController extends BaseMasterAndRegionObserver perm.getQualifier(), Action.ADMIN); break; case Namespace : - requireGlobalPermission("revoke", Action.ADMIN, perm.getNamespace()); + requireNamespacePermission("revoke", perm.getNamespace(), Action.ADMIN); break; } http://git-wip-us.apache.org/repos/asf/hbase/blob/c813146d/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 4af918d..064daa2 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -23,7 +23,10 @@ import static org.junit.Assert.assertTrue; import java.util.List; import java.util.Arrays; +import java.util.Map; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HColumnDescriptor; @@ -56,6 +59,7 @@ import com.google.protobuf.BlockingRpcChannel; @Category(MediumTests.class) public class TestNamespaceCommands extends SecureTestUtil { private static HBaseTestingUtility UTIL = new HBaseTestingUtility(); + private static final Log LOG = LogFactory.getLog(TestNamespaceCommands.class); private static String TEST_NAMESPACE = "ns1"; private static String TEST_NAMESPACE2 = "ns2"; private static Configuration conf; @@ -93,11 +97,13 @@ public class TestNamespaceCommands extends SecureTestUtil { private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER private static final String GROUP_ADMIN = "group_admin"; + private static final String GROUP_NS_ADMIN = "group_ns_admin"; private static final String GROUP_CREATE = "group_create"; private static final String GROUP_READ = "group_read"; private static final String GROUP_WRITE = "group_write"; private static User USER_GROUP_ADMIN; + private static User USER_GROUP_NS_ADMIN; private static User USER_GROUP_CREATE; private static User USER_GROUP_READ; private static User USER_GROUP_WRITE; @@ -130,6 +136,8 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_GROUP_ADMIN = User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); + USER_GROUP_NS_ADMIN = + User.createUserForTesting(conf, "user_group_ns_admin", new String[] { GROUP_NS_ADMIN }); USER_GROUP_CREATE = User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE }); USER_GROUP_READ = @@ -162,6 +170,7 @@ public class TestNamespaceCommands extends SecureTestUtil { grantOnNamespace(UTIL, USER_NS_WRITE.getShortName(), TEST_NAMESPACE, Permission.Action.WRITE); grantOnNamespace(UTIL, USER_NS_READ.getShortName(), TEST_NAMESPACE, Permission.Action.READ); grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC); + grantOnNamespace(UTIL, toGroupEntry(GROUP_NS_ADMIN), TEST_NAMESPACE, Permission.Action.ADMIN); grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN); @@ -187,7 +196,10 @@ public class TestNamespaceCommands extends SecureTestUtil { AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); - assertEquals(5, perms.size()); + for (Map.Entry<String, TablePermission> entry : perms.entries()) { + LOG.debug(entry); + } + assertEquals(6, perms.size()); // Grant and check state in ACL table grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE, @@ -196,7 +208,7 @@ public class TestNamespaceCommands extends SecureTestUtil { Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace))); assertTrue(result != null); perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); - assertEquals(6, perms.size()); + assertEquals(7, perms.size()); List<TablePermission> namespacePerms = perms.get(userTestNamespace); assertTrue(perms.containsKey(userTestNamespace)); assertEquals(1, namespacePerms.size()); @@ -212,7 +224,7 @@ public class TestNamespaceCommands extends SecureTestUtil { Permission.Action.WRITE); perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); - assertEquals(5, perms.size()); + assertEquals(6, perms.size()); } } @@ -350,6 +362,21 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; + AccessTestAction grantNamespaceAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { + BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, USER_GROUP_NS_ADMIN.getShortName(), + TEST_NAMESPACE, Action.READ); + } + return null; + } + }; + AccessTestAction revokeAction = new AccessTestAction() { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); @@ -364,6 +391,25 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; + AccessTestAction revokeNamespaceAction = new AccessTestAction() { + public Object run() throws Exception { + Connection connection = ConnectionFactory.createConnection(conf); + Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = + acl.coprocessorService(HConstants.EMPTY_START_ROW); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.revoke(protocol, USER_GROUP_NS_ADMIN.getShortName(), + TEST_NAMESPACE, Action.READ); + } finally { + acl.close(); + connection.close(); + } + return null; + } + }; + AccessTestAction getPermissionsAction = new AccessTestAction() { @Override public Object run() throws Exception { @@ -378,14 +424,26 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; - verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); + verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN); verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, - USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); + verifyAllowed(grantNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, + USER_NS_ADMIN, USER_GROUP_NS_ADMIN); + verifyDenied(grantNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + + verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN); verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, - USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + + verifyAllowed(revokeNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, + USER_NS_ADMIN, USER_GROUP_NS_ADMIN); + verifyDenied(revokeNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,