[jira] [Commented] (HBASE-13294) Fix the critical ancient loopholes in security testing infrastructure.

Tue, 24 Mar 2015 14:05:01 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-13294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14378605#comment-14378605
 ] 

Srikanth Srungarapu commented on HBASE-13294:
---------------------------------------------

Javadoc warnings not related.
{code}
[WARNING] Javadoc Warnings
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/replication/regionserver/ReplicationSourceManager.java:122:
 warning - @param argument "stopper" is not a parameter name.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/replication/regionserver/ReplicationSourceManager.java:370:
 warning - @param argument "stopper" is not a parameter name.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/mapred/TableInputFormatBase.java:73:
 warning - @Override is an unknown tag.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java:488:
 warning - @return tag has no arguments.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java:86:
 warning - @link#getUserAuths(byte[], is an unknown tag.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java:153:
 warning - @link#havingSystemAuth(User) is an unknown tag.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java:86:
 warning - @link#getUserAuths(byte[], is an unknown tag.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java:153:
 warning - @link#havingSystemAuth(User) is an unknown tag.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/master/AssignmentListener.java:44:
 warning - @param argument "serverName" is not a parameter name.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcServer.java:2295:
 warning - Tag @see: can't find 
channelWrite(java.nio.channels.WritableByteChannel, java.nio.ByteBuffer) in 
org.apache.hadoop.hbase.ipc.RpcServer
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionServerServices.java:144:
 warning - @param argument "instance" is not a parameter name.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/SplitLogWorker.java:437:
 warning - @return tag has no arguments.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/wal/HLogSplitter.java:1897:
 warning - @return tag has no arguments.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/mapreduce/TableInputFormatBase.java:90:
 warning - @Override is an unknown tag.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/mapreduce/TableSnapshotInputFormat.java:98:
 warning - Tag @link: reference not found: ExportSnapshot
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/BlockCacheUtil.java:235:
 warning - Tag @see: reference not found: getLoadedCachedBlocksByFile
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java:86:
 warning - @link#getUserAuths(byte[], is an unknown tag.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java:153:
 warning - @link#havingSystemAuth(User) is an unknown tag.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java:86:
 warning - @link#getUserAuths(byte[], is an unknown tag.
[WARNING] 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelService.java:153:
 warning - @link#havingSystemAuth(User) is an unknown tag.
{code}

Grepped for changed files in  
[findbugs|https://builds.apache.org/job/PreCommit-HBASE-Build/13392//artifact/patchprocess/newPatchFindbugsWarningshbase-server.html]
 warnings, but not matches.

> Fix the critical ancient loopholes in security testing infrastructure.
> ----------------------------------------------------------------------
>
>                 Key: HBASE-13294
>                 URL: https://issues.apache.org/jira/browse/HBASE-13294
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Srikanth Srungarapu
>            Assignee: Srikanth Srungarapu
>         Attachments: HBASE-13294-0.98.patch, HBASE-13294-0.98.patch, 
> HBASE-13294.patch, HBASE-13294_v2.patch, HBASE-13294_v3.patch, 
> HBASE-13294_v3.patch, HBASE-13294_v4.patch, HBASE-13294_v5.patch, 
> HBASE-13294_v6.patch, HBASE-13294_v6.patch
>
>
> Unfortunately, the "verifyDenied" method doesn't fail when action parameter 
> returns null. The relevant code snippet
> {code}
> try {
>         Object obj = user.runAs(action);
>         if (requireException) {
>           fail("Expected exception was not thrown for user '" + 
> user.getShortName() + "'");
>         }
>         if (obj != null && obj instanceof List<?>) {
>           List<?> results = (List<?>) obj;
>           if (results != null && !results.isEmpty()) {
>             fail("Unexpected results for user '" + user.getShortName() + "'");
>           }
>         }
>       }
> {code}
> As you can see, when obj is null, it returns silently. 
> Fixing this issue has uncovered another major bug. While constructing 
> actions, we're using TEST_UTIL.getConnection(), which replaces the "doAs" 
> user with the user who initiated the connection. I really am grateful to 
> [~mbertozzi] without whom debugging this would have been a nightmare. 
> Now, fixing these two issues have uncovered more issues in our tests :). The 
> main one is we're allowing the table owner to truncate table in code. But, in 
> test, we're not allowing him. We should either remove the code that allows 
> owner or document that the table owner can truncate table.
> The other minor issues include granting permissions to namespace, but 
> checking whether user was able to access tables inside other namespace.  
> That's it, folks! 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to