HBASE-24345 [ACL] renameRSGroup should require Admin level permission (…

…#1683) Signed-off-by: binlijin <binlijin@gmail.com> Signed-off-by: Viraj Jasani <vjasani@apache.org>
apache · May 8, 2020 · 0cd70ed · 0cd70ed
1 parent 03e5a14
commit 0cd70ed
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -2685,4 +2685,10 @@ public void preGetRSGroupInfoOfServer(ObserverContext<MasterCoprocessorEnvironme
         null, Permission.Action.ADMIN);
   }
 
+  @Override
+  public void preRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, String oldName,
+      String newName) throws IOException {
+    accessChecker.requirePermission(getActiveUser(ctx), "renameRSGroup",
+      null, Permission.Action.ADMIN);
+  }
 }
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java
@@ -331,6 +331,8 @@ public static class CPMasterObserver implements MasterCoprocessor, MasterObserve
     boolean postListTablesInRSGroupCalled = false;
     boolean preGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
     boolean postGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
+    boolean preRenameRSGroup = false;
+    boolean postRenameRSGroup = false;
 
     public void resetFlags() {
       preBalanceRSGroupCalled = false;
@@ -361,6 +363,8 @@ public void resetFlags() {
       postListTablesInRSGroupCalled = false;
       preGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
       postGetConfiguredNamespacesAndTablesInRSGroupCalled = false;
+      preRenameRSGroup = false;
+      postRenameRSGroup = false;
     }
 
     @Override
@@ -523,5 +527,17 @@ public void postGetConfiguredNamespacesAndTablesInRSGroup(
       ObserverContext<MasterCoprocessorEnvironment> ctx, String groupName) throws IOException {
       postGetConfiguredNamespacesAndTablesInRSGroupCalled = true;
     }
+
+    @Override
+    public void preRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, String oldName,
+      String newName) throws IOException {
+      preRenameRSGroup = true;
+    }
+
+    @Override
+    public void postRenameRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx, String oldName,
+      String newName) throws IOException {
+      postRenameRSGroup = true;
+    }
   }
 }
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
@@ -319,6 +319,16 @@ public void testRemoveServers() throws Exception {
     validateAdminPermissions(action);
   }
 
+  @Test
+  public void testRenameRSGroup() throws Exception {
+    AccessTestAction action = () -> {
+      checkPermission("renameRSGroup");
+      return null;
+    };
+
+    validateAdminPermissions(action);
+  }
+
   private void validateAdminPermissions(AccessTestAction action) throws Exception {
     verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
     verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,