You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by vi...@apache.org on 2012/01/10 17:11:48 UTC
svn commit: r1229621 -
/incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java
Author: vines
Date: Tue Jan 10 16:11:48 2012
New Revision: 1229621
URL: http://svn.apache.org/viewvc?rev=1229621&view=rev
Log:
ACCUMULO-264 - will now error if the creator does not have any one authorization the created user has.
Modified:
incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java
Modified: incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java
URL: http://svn.apache.org/viewvc/incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java?rev=1229621&r1=1229620&r2=1229621&view=diff
==============================================================================
--- incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java (original)
+++ incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java Tue Jan 10 16:11:48 2012
@@ -208,6 +208,15 @@ public final class ZKAuthenticator imple
if (!hasSystemPermission(credentials, credentials.user, SystemPermission.CREATE_USER))
throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.PERMISSION_DENIED);
+ if (!hasSystemPermission(credentials, credentials.user, SystemPermission.ALTER_USER)) {
+ Authorizations creatorAuths = getUserAuthorizations(credentials, credentials.user);
+ for (byte[] auth : authorizations.getAuthorizations())
+ if (!creatorAuths.contains(auth)) {
+ log.info("User " + credentials.user + " attempted to create a user " + user + " with authorization " + new String(auth) + " they did not have");
+ throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.BAD_AUTHORIZATIONS);
+ }
+ }
+
// don't allow creating a user with the same name as system user
if (user.equals(SecurityConstants.SYSTEM_USERNAME))
throw new AccumuloSecurityException(user, SecurityErrorCode.PERMISSION_DENIED);