[
https://issues.apache.org/jira/browse/HBASE-11411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14043138#comment-14043138
]
Hadoop QA commented on HBASE-11411:
-----------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12652342/HBASE-11411.patch
against trunk revision .
ATTACHMENT ID: 12652342
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 6 new
or modified tests.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any
warning messages.
{color:red}-1 findbugs{color}. The patch appears to introduce 2 new
Findbugs (version 1.3.9) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 lineLengths{color}. The patch introduces the following lines
longer than 100:
+ // Here we know that the table/CF has read permission and so we
could allow the cell first strategy
+ AccessControlProtos.Permission.Action[] actions = {
AccessControlProtos.Permission.Action.READ };
{color:green}+1 site{color}. The mvn site goal succeeds with this patch.
{color:green}+1 core tests{color}. The patch passed unit tests in .
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/9844//console
This message is automatically generated.
> [AccessController] Cell level permissions were not checked when using
> CELL_FIRST_STRATEGY
> -----------------------------------------------------------------------------------------
>
> Key: HBASE-11411
> URL: https://issues.apache.org/jira/browse/HBASE-11411
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.98.3
> Reporter: ramkrishna.s.vasudevan
> Assignee: ramkrishna.s.vasudevan
> Fix For: 0.99.0, 0.98.4
>
> Attachments: HBASE-11411.patch
>
>
> In doing read operations with ACL we were checking there is read permission
> granted on the table
> {code}
> AuthResult authResult = permissionGranted(opType, user, env, families,
> Action.READ);
> HRegion region = getRegion(env);
> TableName table = getTableName(region);
> Map<ByteRange, Integer> cfVsMaxVersions = Maps.newHashMap();
> for (HColumnDescriptor hcd : region.getTableDesc().getFamilies()) {
> cfVsMaxVersions.put(new SimpleByteRange(hcd.getName()),
> hcd.getMaxVersions());
> }
> {code}
> If there is no permission then we were checking for the type of cell level
> permission
> {code}
> case CHECK_CELL_DEFAULT: {
> if (authManager.authorize(user, table, family, qualifier,
> Permission.Action.READ) ||
> authManager.authorize(user, table, cell, Permission.Action.READ))
> {
> return ReturnCode.INCLUDE;
> }
> }
> break;
> // Cell permissions must authorize
> case CHECK_CELL_FIRST: {
> if (authManager.authorize(user, table, cell, Permission.Action.READ)
> &&
> authManager.authorize(user, table, family, qualifier,
> Permission.Action.READ)) {
> return ReturnCode.INCLUDE;
> }
> {code}
> For CELL_FIRST_STRATEGY
> -> if the user had granted READ permission on the table itself then even if
> cell level was not granting access we were able to read the cell.
> ->If table level READ permission was not there then the && condition was
> failing from reading any cell even with READ permission.
> The 2nd one was an intended behaviour but for the first one I think we should
> see if really the cell was readable too.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
