HBASE-26208 Supports revoke @ns specified permission

Author: SiCheng-Zheng

hbase-shell/src/main/ruby/hbase/security.rb

@@ -100,10 +100,21 @@ def revoke(user, table_name = nil, family = nil, qualifier = nil)
             namespace_name = table_name[1...table_name.length]
             raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name)
 
-            tablebytes = table_name.to_java_bytes
-            org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
-              @connection, namespace_name, user
-            )
+            if (!family.nil?)
+              permission = family[1...family.length-1]
+              perm = org.apache.hadoop.hbase.security.access.Permission.new(
+                permission.to_java_bytes
+              )
+              puts "revoke #{permission} permission"
+              org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
+                @connection, namespace_name, user, perm.getActions
+              )
+            else
+              tablebytes = table_name.to_java_bytes
+              org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
+                @connection, namespace_name, user
+              )
+            end
           else
             # Table should exist
             raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name)

hbase-shell/src/main/ruby/shell/commands/revoke.rb

@@ -34,6 +34,7 @@ def help
     hbase> revoke 'bobsmith'
     hbase> revoke '@admins'
     hbase> revoke 'bobsmith', '@ns1'
+    hbase> revoke 'bobsmith', '@ns1', 'RWXCA'
     hbase> revoke 'bobsmith', 't1', 'f1', 'col1'
     hbase> revoke 'bobsmith', 'ns1:t1', 'f1', 'col1'
 EOF

hbase-shell/src/test/ruby/hbase/security_admin_test.rb

@@ -78,6 +78,29 @@ def teardown
       assert(found_permission, "Permission for user test_grant_revoke was not found.")
     end
 
+    define_test "Grant and revoke should set access rights appropriately" do
+      drop_test_table(@test_name)
+      create_test_table(@test_name)
+      table = table(@test_name)
+      test_grant_revoke_user = org.apache.hadoop.hbase.security.User.createUserForTesting(
+        $TEST_CLUSTER.getConfiguration, "test_grant_revoke", []).getName()
+
+      security_admin.grant(test_grant_revoke_user,"RWXCA", @test_name)
+      security_admin.revoke(test_grant_revoke_user, @test_name, "CA")
+      found_permission = false
+      security_admin.user_permission(@test_name) do |user, permission|
+        if user == "test_grant_revoke"
+          assert_match(eval("/READ/"), permission.to_s)
+          assert_match(eval("/WRITE/"), permission.to_s)
+          assert_match(eval("/EXEC/"), permission.to_s)
+          assert_no_match(eval("/CREATE/"), permission.to_s)
+          assert_no_match(eval("/ADMIN/"), permission.to_s)
+          found_permission = true
+        end
+      end
+      assert(found_permission, "Permission for user test_grant_revoke was not found.")
+    end
+
     define_test 'Grant and revoke global permission should set access rights appropriately' do
       global_user_name = 'test_grant_revoke_global'
       security_admin.grant(global_user_name, 'W')