From 2a851e14cc980dff78bc514167da144226ec06c8 Mon Sep 17 00:00:00 2001 From: SiCheng-Zheng <643463623@qq.com> Date: Fri, 11 Nov 2022 18:29:33 +0800 Subject: [PATCH] HBASE-26208 Supports revoke namespace specified permission --- hbase-shell/src/main/ruby/hbase/security.rb | 19 ++++++++++--- .../src/main/ruby/shell/commands/revoke.rb | 2 +- .../test/ruby/hbase/security_admin_test.rb | 28 +++++++++++++++++++ 3 files changed, 44 insertions(+), 5 deletions(-) diff --git a/hbase-shell/src/main/ruby/hbase/security.rb b/hbase-shell/src/main/ruby/hbase/security.rb index 0958d3e641ae..bc9e305fa007 100644 --- a/hbase-shell/src/main/ruby/hbase/security.rb +++ b/hbase-shell/src/main/ruby/hbase/security.rb @@ -100,10 +100,21 @@ def revoke(user, table_name = nil, family = nil, qualifier = nil) namespace_name = table_name[1...table_name.length] raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name) - tablebytes = table_name.to_java_bytes - org.apache.hadoop.hbase.security.access.AccessControlClient.revoke( - @connection, namespace_name, user - ) + if (!family.nil?) + permission = family[1...family.length-1] + perm = org.apache.hadoop.hbase.security.access.Permission.new( + permission.to_java_bytes + ) + puts "revoke #{permission} permission" + org.apache.hadoop.hbase.security.access.AccessControlClient.revoke( + @connection, namespace_name, user, perm.getActions + ) + else + tablebytes = table_name.to_java_bytes + org.apache.hadoop.hbase.security.access.AccessControlClient.revoke( + @connection, namespace_name, user + ) + end else # Table should exist raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name) diff --git a/hbase-shell/src/main/ruby/shell/commands/revoke.rb b/hbase-shell/src/main/ruby/shell/commands/revoke.rb index 4742bd79f63a..00734ed21410 100644 --- a/hbase-shell/src/main/ruby/shell/commands/revoke.rb +++ b/hbase-shell/src/main/ruby/shell/commands/revoke.rb @@ -33,7 +33,7 @@ def help hbase> revoke 'bobsmith' hbase> revoke '@admins' - hbase> revoke 'bobsmith', '@ns1' + hbase> revoke 'bobsmith', '@ns1', 'RWXCA' hbase> revoke 'bobsmith', 't1', 'f1', 'col1' hbase> revoke 'bobsmith', 'ns1:t1', 'f1', 'col1' EOF diff --git a/hbase-shell/src/test/ruby/hbase/security_admin_test.rb b/hbase-shell/src/test/ruby/hbase/security_admin_test.rb index 8839c33dabce..ac32cc66beff 100644 --- a/hbase-shell/src/test/ruby/hbase/security_admin_test.rb +++ b/hbase-shell/src/test/ruby/hbase/security_admin_test.rb @@ -52,6 +52,34 @@ def teardown assert_equal(0, security_admin.user_permission(@test_name).length) end + define_test "Revoke namespace should rid access rights appropriately" do + ns = 'test_ns_grant_revoke' + command(:drop_namespace, ns) + command(:create_namespace, ns) + test_ns_grant_revoke_user = org.apache.hadoop.hbase.security.User.createUserForTesting( + $TEST_CLUSTER.getConfiguration, "test_ns_grant_revoke", []).getName() + security_admin.grant(test_grant_revoke_user,"WRC", ns) + security_admin.user_permission(ns) do |user, permission| + assert_match(eval("/WRITE/"), permission.to_s) + assert_match(eval("/READ/"), permission.to_s) + assert_match(eval("/CREATE/"), permission.to_s) + end + + security_admin.revoke(test_grant_revoke_user, ns, "C") + found_permission = false + security_admin.user_permission(ns) do |user, permission| + if user == "test_ns_grant_revoke" + assert_match(eval("/READ/"), permission.to_s) + assert_match(eval("/WRITE/"), permission.to_s) + assert_no_match(eval("/EXEC/"), permission.to_s) + assert_no_match(eval("/CREATE/"), permission.to_s) + assert_no_match(eval("/ADMIN/"), permission.to_s) + found_permission = true + end + end + assert(found_permission, "Permission for user test_ns_grant_revoke was not found.") + end + define_test "Grant should set access rights appropriately" do drop_test_table(@test_name) create_test_table(@test_name)