[hbase] branch branch-2.3 updated: HBASE-25456 : add security check for setRegionStateInMeta (#2836) (#2833)

vjasani Thu, 31 Dec 2020 22:50:45 -0800

This is an automated email from the ASF dual-hosted git repository.

vjasani pushed a commit to branch branch-2.3
in repository https://gitbox.apache.org/repos/asf/hbase.git



The following commit(s) were added to refs/heads/branch-2.3 by this push:
     new 5abf4e9  HBASE-25456 : add security check for setRegionStateInMeta 
(#2836) (#2833)
5abf4e9 is described below

commit 5abf4e97ef9b07072d12096856f0aeb3512d2ff0
Author: lujiefsi <lujie...@foxmail.com>
AuthorDate: Fri Jan 1 14:50:18 2021 +0800

    HBASE-25456 : add security check for setRegionStateInMeta (#2836) (#2833)
    
    Signed-off-by: Viraj Jasani <vjas...@apache.org>
---
 .../hadoop/hbase/master/MasterRpcServices.java     |  1 +
 .../security/access/TestAccessController.java      | 24 ++++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git 
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
 
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
index 0d5f6ee..566482a 100644
--- 
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
+++ 
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
@@ -2485,6 +2485,7 @@ public class MasterRpcServices extends RSRpcServices 
implements
   @Override
   public SetRegionStateInMetaResponse setRegionStateInMeta(RpcController 
controller,
     SetRegionStateInMetaRequest request) throws ServiceException {
+    rpcPreCheck("setRegionStateInMeta");
     SetRegionStateInMetaResponse.Builder builder = 
SetRegionStateInMetaResponse.newBuilder();
     try {
       for (RegionSpecifierAndState s : request.getStatesList()) {
diff --git 
a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
 
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index cec8c26..bd61c98 100644
--- 
a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ 
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -36,7 +36,10 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.fs.FileStatus;
@@ -69,6 +72,7 @@ import org.apache.hadoop.hbase.client.Hbck;
 import org.apache.hadoop.hbase.client.Increment;
 import org.apache.hadoop.hbase.client.MasterSwitchType;
 import org.apache.hadoop.hbase.client.Put;
+import org.apache.hadoop.hbase.client.RegionInfo;
 import org.apache.hadoop.hbase.client.RegionLocator;
 import org.apache.hadoop.hbase.client.Result;
 import org.apache.hadoop.hbase.client.ResultScanner;
@@ -102,6 +106,7 @@ import org.apache.hadoop.hbase.io.hfile.HFileContext;
 import org.apache.hadoop.hbase.io.hfile.HFileContextBuilder;
 import org.apache.hadoop.hbase.master.HMaster;
 import org.apache.hadoop.hbase.master.MasterCoprocessorHost;
+import org.apache.hadoop.hbase.master.RegionState;
 import org.apache.hadoop.hbase.master.locking.LockProcedure;
 import org.apache.hadoop.hbase.master.procedure.MasterProcedureEnv;
 import org.apache.hadoop.hbase.master.procedure.TableProcedureInterface;
@@ -391,6 +396,25 @@ public class TestAccessController extends SecureTestUtil {
   }
 
   @Test
+  public void testUnauthorizedSetRegionStateInMeta() throws Exception {
+    Admin admin = TEST_UTIL.getAdmin();
+    final List<RegionInfo> regions = admin.getRegions(TEST_TABLE);
+    RegionInfo closeRegion = regions.get(0);
+    Map<String, RegionState.State> newStates = new HashMap<>();
+    newStates.put(closeRegion.getEncodedName(), RegionState.State.CLOSED);
+    AccessTestAction action = () -> {
+      try(Connection conn = 
ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+        Hbck hbck = conn.getHbck()){
+        hbck.setRegionStateInMeta(newStates);
+      }
+      return null;
+    };
+
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, 
USER_GROUP_READ,
+        USER_GROUP_WRITE, USER_GROUP_CREATE);
+  }
+
+  @Test
   public void testUnauthorizedFixMeta() throws Exception {
     AccessTestAction action = () -> {
       try(Connection conn = 
ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());

[hbase] branch branch-2.3 updated: HBASE-25456 : add security check for setRegionStateInMeta (#2836) (#2833)

Reply via email to