This is an automated email from the ASF dual-hosted git repository. vjasani pushed a commit to branch branch-2.3 in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2.3 by this push: new 5abf4e9 HBASE-25456 : add security check for setRegionStateInMeta (#2836) (#2833) 5abf4e9 is described below commit 5abf4e97ef9b07072d12096856f0aeb3512d2ff0 Author: lujiefsi <lujie...@foxmail.com> AuthorDate: Fri Jan 1 14:50:18 2021 +0800 HBASE-25456 : add security check for setRegionStateInMeta (#2836) (#2833) Signed-off-by: Viraj Jasani <vjas...@apache.org> --- .../hadoop/hbase/master/MasterRpcServices.java | 1 + .../security/access/TestAccessController.java | 24 ++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java index 0d5f6ee..566482a 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java @@ -2485,6 +2485,7 @@ public class MasterRpcServices extends RSRpcServices implements @Override public SetRegionStateInMetaResponse setRegionStateInMeta(RpcController controller, SetRegionStateInMetaRequest request) throws ServiceException { + rpcPreCheck("setRegionStateInMeta"); SetRegionStateInMetaResponse.Builder builder = SetRegionStateInMetaResponse.newBuilder(); try { for (RegionSpecifierAndState s : request.getStatesList()) { diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index cec8c26..bd61c98 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -36,7 +36,10 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.Collections; +import java.util.HashMap; import java.util.List; +import java.util.Map; + import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.fs.FileStatus; @@ -69,6 +72,7 @@ import org.apache.hadoop.hbase.client.Hbck; import org.apache.hadoop.hbase.client.Increment; import org.apache.hadoop.hbase.client.MasterSwitchType; import org.apache.hadoop.hbase.client.Put; +import org.apache.hadoop.hbase.client.RegionInfo; import org.apache.hadoop.hbase.client.RegionLocator; import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.ResultScanner; @@ -102,6 +106,7 @@ import org.apache.hadoop.hbase.io.hfile.HFileContext; import org.apache.hadoop.hbase.io.hfile.HFileContextBuilder; import org.apache.hadoop.hbase.master.HMaster; import org.apache.hadoop.hbase.master.MasterCoprocessorHost; +import org.apache.hadoop.hbase.master.RegionState; import org.apache.hadoop.hbase.master.locking.LockProcedure; import org.apache.hadoop.hbase.master.procedure.MasterProcedureEnv; import org.apache.hadoop.hbase.master.procedure.TableProcedureInterface; @@ -391,6 +396,25 @@ public class TestAccessController extends SecureTestUtil { } @Test + public void testUnauthorizedSetRegionStateInMeta() throws Exception { + Admin admin = TEST_UTIL.getAdmin(); + final List<RegionInfo> regions = admin.getRegions(TEST_TABLE); + RegionInfo closeRegion = regions.get(0); + Map<String, RegionState.State> newStates = new HashMap<>(); + newStates.put(closeRegion.getEncodedName(), RegionState.State.CLOSED); + AccessTestAction action = () -> { + try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Hbck hbck = conn.getHbck()){ + hbck.setRegionStateInMeta(newStates); + } + return null; + }; + + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); + } + + @Test public void testUnauthorizedFixMeta() throws Exception { AccessTestAction action = () -> { try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());