HBASE-26208 Supports revoke namespace specified permission

Author: SiCheng-Zheng

hbase-shell/src/main/ruby/hbase/security.rb

@@ -100,10 +100,21 @@ def revoke(user, table_name = nil, family = nil, qualifier = nil)
             namespace_name = table_name[1...table_name.length]
             raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name)
 
-            tablebytes = table_name.to_java_bytes
-            org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
-              @connection, namespace_name, user
-            )
+            if (!family.nil?)
+              permission = family[1...family.length-1]
+              perm = org.apache.hadoop.hbase.security.access.Permission.new(
+                permission.to_java_bytes
+              )
+              puts "revoke #{permission} permission"
+              org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
+                @connection, namespace_name, user, perm.getActions
+              )
+            else
+              tablebytes = table_name.to_java_bytes
+              org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
+                @connection, namespace_name, user
+              )
+            end
           else
             # Table should exist
             raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name)

hbase-shell/src/main/ruby/shell/commands/revoke.rb

@@ -33,7 +33,7 @@ def help
 
     hbase> revoke 'bobsmith'
     hbase> revoke '@admins'
-    hbase> revoke 'bobsmith', '@ns1'
+    hbase> revoke 'bobsmith', '@ns1', 'RWXCA'
     hbase> revoke 'bobsmith', 't1', 'f1', 'col1'
     hbase> revoke 'bobsmith', 'ns1:t1', 'f1', 'col1'
 EOF

hbase-shell/src/test/ruby/hbase/security_admin_test.rb

@@ -52,6 +52,34 @@ def teardown
       assert_equal(0, security_admin.user_permission(@test_name).length)
     end
 
+    define_test "Revoke namespace should rid access rights appropriately" do
+      ns = 'test_ns_grant_revoke'
+      command(:drop_namespace, ns)
+      command(:create_namespace, ns)
+      test_ns_grant_revoke_user = org.apache.hadoop.hbase.security.User.createUserForTesting(
+        $TEST_CLUSTER.getConfiguration, "test_ns_grant_revoke", []).getName()
+      security_admin.grant(test_grant_revoke_user,"WRC", ns)
+      security_admin.user_permission(ns) do |user, permission|
+        assert_match(eval("/WRITE/"), permission.to_s)
+        assert_match(eval("/READ/"), permission.to_s)
+        assert_match(eval("/CREATE/"), permission.to_s)
+      end
+
+      security_admin.revoke(test_grant_revoke_user, ns, "C")
+      found_permission = false
+      security_admin.user_permission(ns) do |user, permission|
+        if user == "test_ns_grant_revoke"
+          assert_match(eval("/READ/"), permission.to_s)
+          assert_match(eval("/WRITE/"), permission.to_s)
+          assert_no_match(eval("/EXEC/"), permission.to_s)
+          assert_no_match(eval("/CREATE/"), permission.to_s)
+          assert_no_match(eval("/ADMIN/"), permission.to_s)
+          found_permission = true
+        end
+      end
+      assert(found_permission, "Permission for user test_ns_grant_revoke was not found.")
+    end
+
     define_test "Grant should set access rights appropriately" do
       drop_test_table(@test_name)
       create_test_table(@test_name)