You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by la...@apache.org on 2012/12/19 17:33:22 UTC
svn commit: r1423927 - in /hbase/branches/0.94: conf/log4j.properties
security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Author: larsh
Date: Wed Dec 19 16:33:21 2012
New Revision: 1423927
URL: http://svn.apache.org/viewvc?rev=1423927&view=rev
Log:
HBASE-6585 Audit log messages should contain info about the higher level operation being executed (Matteo Bertozzi)
Modified:
hbase/branches/0.94/conf/log4j.properties
hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Modified: hbase/branches/0.94/conf/log4j.properties
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/conf/log4j.properties?rev=1423927&r1=1423926&r2=1423927&view=diff
==============================================================================
--- hbase/branches/0.94/conf/log4j.properties (original)
+++ hbase/branches/0.94/conf/log4j.properties Wed Dec 19 16:33:21 2012
@@ -39,6 +39,7 @@ log4j.appender.DRFAS.layout=org.apache.l
log4j.appender.DRFAS.layout.ConversionPattern=%d{ISO8601} %p %c: %m%n
log4j.category.SecurityLogger=${hbase.security.logger}
log4j.additivity.SecurityLogger=false
+#log4j.logger.SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController=TRACE
#
# Null Appender
Modified: hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1423927&r1=1423926&r2=1423927&view=diff
==============================================================================
--- hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (original)
+++ hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java Wed Dec 19 16:33:21 2012
@@ -112,12 +112,14 @@ public class AccessController extends Ba
private final byte[] family;
private final byte[] qualifier;
private final Permission.Action action;
+ private final String request;
private final String reason;
private final User user;
- public AuthResult(boolean allowed, String reason, User user,
+ public AuthResult(boolean allowed, String request, String reason, User user,
Permission.Action action, byte[] table, byte[] family, byte[] qualifier) {
this.allowed = allowed;
+ this.request = request;
this.reason = reason;
this.user = user;
this.table = table;
@@ -132,6 +134,8 @@ public class AccessController extends Ba
public String getReason() { return reason; }
+ public String getRequest() { return request; }
+
public String toContextString() {
return "(user=" + (user != null ? user.getName() : "UNKNOWN") + ", " +
"scope=" + (table == null ? "GLOBAL" : Bytes.toString(table)) + ", " +
@@ -145,23 +149,23 @@ public class AccessController extends Ba
.append(toContextString()).toString();
}
- public static AuthResult allow(String reason, User user, Permission.Action action,
+ public static AuthResult allow(String request, String reason, User user, Permission.Action action,
byte[] table, byte[] family, byte[] qualifier) {
- return new AuthResult(true, reason, user, action, table, family, qualifier);
+ return new AuthResult(true, request, reason, user, action, table, family, qualifier);
}
- public static AuthResult allow(String reason, User user, Permission.Action action, byte[] table) {
- return new AuthResult(true, reason, user, action, table, null, null);
+ public static AuthResult allow(String request, String reason, User user, Permission.Action action, byte[] table) {
+ return new AuthResult(true, request, reason, user, action, table, null, null);
}
- public static AuthResult deny(String reason, User user,
+ public static AuthResult deny(String request, String reason, User user,
Permission.Action action, byte[] table) {
- return new AuthResult(false, reason, user, action, table, null, null);
+ return new AuthResult(false, request, reason, user, action, table, null, null);
}
- public static AuthResult deny(String reason, User user,
+ public static AuthResult deny(String request, String reason, User user,
Permission.Action action, byte[] table, byte[] family, byte[] qualifier) {
- return new AuthResult(false, reason, user, action, table, family, qualifier);
+ return new AuthResult(false, request, reason, user, action, table, family, qualifier);
}
}
@@ -252,7 +256,7 @@ public class AccessController extends Ba
* the request
* @return
*/
- AuthResult permissionGranted(User user, TablePermission.Action permRequest,
+ AuthResult permissionGranted(String request, User user, TablePermission.Action permRequest,
RegionCoprocessorEnvironment e,
Map<byte [], ? extends Collection<?>> families) {
HRegionInfo hri = e.getRegion().getRegionInfo();
@@ -262,12 +266,12 @@ public class AccessController extends Ba
// this is a very common operation, so deal with it quickly.
if (hri.isRootRegion() || hri.isMetaRegion()) {
if (permRequest == TablePermission.Action.READ) {
- return AuthResult.allow("All users allowed", user, permRequest, tableName);
+ return AuthResult.allow(request, "All users allowed", user, permRequest, tableName);
}
}
if (user == null) {
- return AuthResult.deny("No user associated with request!", null, permRequest, tableName);
+ return AuthResult.deny(request, "No user associated with request!", null, permRequest, tableName);
}
// Users with CREATE/ADMIN rights need to modify .META. and _acl_ table
@@ -281,12 +285,12 @@ public class AccessController extends Ba
(authManager.authorize(user, Permission.Action.CREATE) ||
authManager.authorize(user, Permission.Action.ADMIN)))
{
- return AuthResult.allow("Table permission granted", user, permRequest, tableName);
+ return AuthResult.allow(request, "Table permission granted", user, permRequest, tableName);
}
// 2. check for the table-level, if successful we can short-circuit
if (authManager.authorize(user, tableName, (byte[])null, permRequest)) {
- return AuthResult.allow("Table permission granted", user, permRequest, tableName);
+ return AuthResult.allow(request, "Table permission granted", user, permRequest, tableName);
}
// 3. check permissions against the requested families
@@ -307,7 +311,7 @@ public class AccessController extends Ba
for (byte[] qualifier : familySet) {
if (!authManager.authorize(user, tableName, family.getKey(),
qualifier, permRequest)) {
- return AuthResult.deny("Failed qualifier check", user,
+ return AuthResult.deny(request, "Failed qualifier check", user,
permRequest, tableName, family.getKey(), qualifier);
}
}
@@ -316,25 +320,25 @@ public class AccessController extends Ba
for (KeyValue kv : kvList) {
if (!authManager.authorize(user, tableName, family.getKey(),
kv.getQualifier(), permRequest)) {
- return AuthResult.deny("Failed qualifier check", user,
+ return AuthResult.deny(request, "Failed qualifier check", user,
permRequest, tableName, family.getKey(), kv.getQualifier());
}
}
}
} else {
// no qualifiers and family-level check already failed
- return AuthResult.deny("Failed family check", user, permRequest,
+ return AuthResult.deny(request, "Failed family check", user, permRequest,
tableName, family.getKey(), null);
}
}
// all family checks passed
- return AuthResult.allow("All family checks passed", user, permRequest,
+ return AuthResult.allow(request, "All family checks passed", user, permRequest,
tableName);
}
// 4. no families to check and table level access failed
- return AuthResult.deny("No families to check and table permission failed",
+ return AuthResult.deny(request, "No families to check and table permission failed",
user, permRequest, tableName);
}
@@ -349,6 +353,7 @@ public class AccessController extends Ba
" for user " + (result.getUser() != null ? result.getUser().getShortName() : "UNKNOWN") +
"; reason: " + result.getReason() +
"; remote address: " + (remoteAddr != null ? remoteAddr : "") +
+ "; request: " + result.getRequest() +
"; context: " + result.toContextString());
}
}
@@ -377,18 +382,20 @@ public class AccessController extends Ba
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if user has no authorization
*/
- private void requirePermission(byte[] tableName, byte[] family, byte[] qualifier,
+ private void requirePermission(String request, byte[] tableName, byte[] family, byte[] qualifier,
Action... permissions) throws IOException {
User user = getActiveUser();
AuthResult result = null;
for (Action permission : permissions) {
if (authManager.authorize(user, tableName, family, qualifier, permission)) {
- result = AuthResult.allow("Table permission granted", user, permission, tableName, family, qualifier);
+ result = AuthResult.allow(request, "Table permission granted", user,
+ permission, tableName, family, qualifier);
break;
} else {
// rest of the world
- result = AuthResult.deny("Insufficient permissions", user, permission, tableName, family, qualifier);
+ result = AuthResult.deny(request, "Insufficient permissions", user,
+ permission, tableName, family, qualifier);
}
}
logResult(result);
@@ -403,12 +410,12 @@ public class AccessController extends Ba
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if authorization is denied
*/
- private void requirePermission(Permission.Action perm) throws IOException {
+ private void requirePermission(String request, Permission.Action perm) throws IOException {
User user = getActiveUser();
if (authManager.authorize(user, perm)) {
- logResult(AuthResult.allow("Global check allowed", user, perm, null));
+ logResult(AuthResult.allow(request, "Global check allowed", user, perm, null));
} else {
- logResult(AuthResult.deny("Global check failed", user, perm, null));
+ logResult(AuthResult.deny(request, "Global check failed", user, perm, null));
throw new AccessDeniedException("Insufficient permissions for user '" +
(user != null ? user.getShortName() : "null") +"' (global, action=" +
perm.toString() + ")");
@@ -423,7 +430,7 @@ public class AccessController extends Ba
* @param families The set of column families present/required in the request
* @throws AccessDeniedException if the authorization check failed
*/
- private void requirePermission(Permission.Action perm,
+ private void requirePermission(String request, Permission.Action perm,
RegionCoprocessorEnvironment env, Collection<byte[]> families)
throws IOException {
// create a map of family-qualifier
@@ -431,7 +438,7 @@ public class AccessController extends Ba
for (byte[] family : families) {
familyMap.put(family, null);
}
- requirePermission(perm, env, familyMap);
+ requirePermission(request, perm, env, familyMap);
}
/**
@@ -442,12 +449,12 @@ public class AccessController extends Ba
* @param families The map of column families-qualifiers.
* @throws AccessDeniedException if the authorization check failed
*/
- private void requirePermission(Permission.Action perm,
+ private void requirePermission(String request, Permission.Action perm,
RegionCoprocessorEnvironment env,
Map<byte[], ? extends Collection<?>> families)
throws IOException {
User user = getActiveUser();
- AuthResult result = permissionGranted(user, perm, env, families);
+ AuthResult result = permissionGranted(request, user, perm, env, families);
logResult(result);
if (!result.isAllowed()) {
@@ -532,7 +539,7 @@ public class AccessController extends Ba
@Override
public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> c,
HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
- requirePermission(Permission.Action.CREATE);
+ requirePermission("createTable", Permission.Action.CREATE);
}
@Override
@@ -551,7 +558,7 @@ public class AccessController extends Ba
@Override
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName)
throws IOException {
- requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE);
+ requirePermission("deleteTable", tableName, null, null, Action.ADMIN, Action.CREATE);
}
@Override
@@ -563,7 +570,7 @@ public class AccessController extends Ba
@Override
public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName,
HTableDescriptor htd) throws IOException {
- requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE);
+ requirePermission("modifyTable", tableName, null, null, Action.ADMIN, Action.CREATE);
}
@Override
@@ -580,7 +587,7 @@ public class AccessController extends Ba
@Override
public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName,
HColumnDescriptor column) throws IOException {
- requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE);
+ requirePermission("addColumn", tableName, null, null, Action.ADMIN, Action.CREATE);
}
@Override
@@ -590,7 +597,7 @@ public class AccessController extends Ba
@Override
public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName,
HColumnDescriptor descriptor) throws IOException {
- requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE);
+ requirePermission("modifyColumn", tableName, null, null, Action.ADMIN, Action.CREATE);
}
@Override
@@ -600,7 +607,7 @@ public class AccessController extends Ba
@Override
public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName,
byte[] col) throws IOException {
- requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE);
+ requirePermission("deleteColumn", tableName, null, null, Action.ADMIN, Action.CREATE);
}
@Override
@@ -613,7 +620,7 @@ public class AccessController extends Ba
@Override
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, byte[] tableName)
throws IOException {
- requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE);
+ requirePermission("enableTable", tableName, null, null, Action.ADMIN, Action.CREATE);
}
@Override
@@ -627,7 +634,7 @@ public class AccessController extends Ba
throw new AccessDeniedException("Not allowed to disable "
+ AccessControlLists.ACL_TABLE_NAME_STR + " table.");
}
- requirePermission(tableName, null, null, Action.ADMIN, Action.CREATE);
+ requirePermission("disableTable", tableName, null, null, Action.ADMIN, Action.CREATE);
}
@Override
@@ -637,7 +644,7 @@ public class AccessController extends Ba
@Override
public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo region,
ServerName srcServer, ServerName destServer) throws IOException {
- requirePermission(region.getTableName(), null, null, Action.ADMIN);
+ requirePermission("move", region.getTableName(), null, null, Action.ADMIN);
}
@Override
@@ -648,7 +655,7 @@ public class AccessController extends Ba
@Override
public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo)
throws IOException {
- requirePermission(regionInfo.getTableName(), null, null, Action.ADMIN);
+ requirePermission("assign", regionInfo.getTableName(), null, null, Action.ADMIN);
}
@Override
@@ -658,7 +665,7 @@ public class AccessController extends Ba
@Override
public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo,
boolean force) throws IOException {
- requirePermission(regionInfo.getTableName(), null, null, Action.ADMIN);
+ requirePermission("unassign", regionInfo.getTableName(), null, null, Action.ADMIN);
}
@Override
@@ -668,7 +675,7 @@ public class AccessController extends Ba
@Override
public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c)
throws IOException {
- requirePermission(Permission.Action.ADMIN);
+ requirePermission("balance", Permission.Action.ADMIN);
}
@Override
public void postBalance(ObserverContext<MasterCoprocessorEnvironment> c)
@@ -677,7 +684,7 @@ public class AccessController extends Ba
@Override
public boolean preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c,
boolean newValue) throws IOException {
- requirePermission(Permission.Action.ADMIN);
+ requirePermission("balanceSwitch", Permission.Action.ADMIN);
return newValue;
}
@Override
@@ -687,13 +694,13 @@ public class AccessController extends Ba
@Override
public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c)
throws IOException {
- requirePermission(Permission.Action.ADMIN);
+ requirePermission("shutdown", Permission.Action.ADMIN);
}
@Override
public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c)
throws IOException {
- requirePermission(Permission.Action.ADMIN);
+ requirePermission("stopMaster", Permission.Action.ADMIN);
}
@Override
@@ -738,32 +745,32 @@ public class AccessController extends Ba
@Override
public void preFlush(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
- requirePermission(getTableName(e.getEnvironment()), null, null, Action.ADMIN);
+ requirePermission("flush", getTableName(e.getEnvironment()), null, null, Action.ADMIN);
}
@Override
public void preSplit(ObserverContext<RegionCoprocessorEnvironment> e) throws IOException {
- requirePermission(getTableName(e.getEnvironment()), null, null, Action.ADMIN);
+ requirePermission("split", getTableName(e.getEnvironment()), null, null, Action.ADMIN);
}
@Override
public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> e,
final Store store, final InternalScanner scanner) throws IOException {
- requirePermission(getTableName(e.getEnvironment()), null, null, Action.ADMIN);
+ requirePermission("compact", getTableName(e.getEnvironment()), null, null, Action.ADMIN);
return scanner;
}
@Override
public void preCompactSelection(final ObserverContext<RegionCoprocessorEnvironment> e,
final Store store, final List<StoreFile> candidates) throws IOException {
- requirePermission(getTableName(e.getEnvironment()), null, null, Action.ADMIN);
+ requirePermission("compactSelection", getTableName(e.getEnvironment()), null, null, Action.ADMIN);
}
@Override
public void preGetClosestRowBefore(final ObserverContext<RegionCoprocessorEnvironment> c,
final byte [] row, final byte [] family, final Result result)
throws IOException {
- requirePermission(TablePermission.Action.READ, c.getEnvironment(),
+ requirePermission("getClosestRowBefore", TablePermission.Action.READ, c.getEnvironment(),
(family != null ? Lists.newArrayList(family) : null));
}
@@ -776,7 +783,7 @@ public class AccessController extends Ba
*/
RegionCoprocessorEnvironment e = c.getEnvironment();
User requestUser = getActiveUser();
- AuthResult authResult = permissionGranted(requestUser,
+ AuthResult authResult = permissionGranted("get", requestUser,
TablePermission.Action.READ, e, get.getFamilyMap());
if (!authResult.isAllowed()) {
if (hasFamilyQualifierPermission(requestUser,
@@ -793,7 +800,7 @@ public class AccessController extends Ba
} else {
get.setFilter(filter);
}
- logResult(AuthResult.allow("Access allowed with filter", requestUser,
+ logResult(AuthResult.allow("get", "Access allowed with filter", requestUser,
TablePermission.Action.READ, authResult.table));
} else {
logResult(authResult);
@@ -809,7 +816,7 @@ public class AccessController extends Ba
@Override
public boolean preExists(final ObserverContext<RegionCoprocessorEnvironment> c,
final Get get, final boolean exists) throws IOException {
- requirePermission(TablePermission.Action.READ, c.getEnvironment(),
+ requirePermission("exists", TablePermission.Action.READ, c.getEnvironment(),
get.familySet());
return exists;
}
@@ -818,7 +825,7 @@ public class AccessController extends Ba
public void prePut(final ObserverContext<RegionCoprocessorEnvironment> c,
final Put put, final WALEdit edit, final boolean writeToWAL)
throws IOException {
- requirePermission(TablePermission.Action.WRITE, c.getEnvironment(),
+ requirePermission("put", TablePermission.Action.WRITE, c.getEnvironment(),
put.getFamilyMap());
}
@@ -834,7 +841,7 @@ public class AccessController extends Ba
public void preDelete(final ObserverContext<RegionCoprocessorEnvironment> c,
final Delete delete, final WALEdit edit, final boolean writeToWAL)
throws IOException {
- requirePermission(TablePermission.Action.WRITE, c.getEnvironment(),
+ requirePermission("delete", TablePermission.Action.WRITE, c.getEnvironment(),
delete.getFamilyMap());
}
@@ -854,8 +861,8 @@ public class AccessController extends Ba
final WritableByteArrayComparable comparator, final Put put,
final boolean result) throws IOException {
Collection<byte[]> familyMap = Arrays.asList(new byte[][]{family});
- requirePermission(TablePermission.Action.READ, c.getEnvironment(), familyMap);
- requirePermission(TablePermission.Action.WRITE, c.getEnvironment(), familyMap);
+ requirePermission("checkAndPut", TablePermission.Action.READ, c.getEnvironment(), familyMap);
+ requirePermission("checkAndPut", TablePermission.Action.WRITE, c.getEnvironment(), familyMap);
return result;
}
@@ -866,8 +873,8 @@ public class AccessController extends Ba
final WritableByteArrayComparable comparator, final Delete delete,
final boolean result) throws IOException {
Collection<byte[]> familyMap = Arrays.asList(new byte[][]{family});
- requirePermission(TablePermission.Action.READ, c.getEnvironment(), familyMap);
- requirePermission(TablePermission.Action.WRITE, c.getEnvironment(), familyMap);
+ requirePermission("checkAndDelete", TablePermission.Action.READ, c.getEnvironment(), familyMap);
+ requirePermission("checkAndDelete", TablePermission.Action.WRITE, c.getEnvironment(), familyMap);
return result;
}
@@ -876,7 +883,7 @@ public class AccessController extends Ba
final byte [] row, final byte [] family, final byte [] qualifier,
final long amount, final boolean writeToWAL)
throws IOException {
- requirePermission(TablePermission.Action.WRITE, c.getEnvironment(),
+ requirePermission("incrementColumnValue", TablePermission.Action.WRITE, c.getEnvironment(),
Arrays.asList(new byte[][]{family}));
return -1;
}
@@ -884,7 +891,7 @@ public class AccessController extends Ba
@Override
public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append)
throws IOException {
- requirePermission(TablePermission.Action.WRITE, c.getEnvironment(), append.getFamilyMap());
+ requirePermission("append", TablePermission.Action.WRITE, c.getEnvironment(), append.getFamilyMap());
return null;
}
@@ -892,7 +899,7 @@ public class AccessController extends Ba
public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c,
final Increment increment)
throws IOException {
- requirePermission(TablePermission.Action.WRITE, c.getEnvironment(),
+ requirePermission("increment", TablePermission.Action.WRITE, c.getEnvironment(),
increment.getFamilyMap().keySet());
return null;
}
@@ -906,7 +913,7 @@ public class AccessController extends Ba
*/
RegionCoprocessorEnvironment e = c.getEnvironment();
User user = getActiveUser();
- AuthResult authResult = permissionGranted(user, TablePermission.Action.READ, e,
+ AuthResult authResult = permissionGranted("scannerOpen", user, TablePermission.Action.READ, e,
scan.getFamilyMap());
if (!authResult.isAllowed()) {
if (hasFamilyQualifierPermission(user, TablePermission.Action.READ, e,
@@ -923,7 +930,7 @@ public class AccessController extends Ba
} else {
scan.setFilter(filter);
}
- logResult(AuthResult.allow("Access allowed with filter", user,
+ logResult(AuthResult.allow("scannerOpen", "Access allowed with filter", user,
TablePermission.Action.READ, authResult.table));
} else {
// no table/family level perms and no qualifier level perms, reject
@@ -999,7 +1006,7 @@ public class AccessController extends Ba
LOG.debug("Received request to grant access permission " + perm.toString());
}
- requirePermission(perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);
+ requirePermission("grant", perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);
AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm);
if (AUDITLOG.isTraceEnabled()) {
@@ -1029,7 +1036,8 @@ public class AccessController extends Ba
LOG.debug("Received request to revoke access permission " + perm.toString());
}
- requirePermission(perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);
+ requirePermission("revoke", perm.getTable(), perm.getFamily(),
+ perm.getQualifier(), Action.ADMIN);
AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm);
if (AUDITLOG.isTraceEnabled()) {
@@ -1055,7 +1063,7 @@ public class AccessController extends Ba
public List<UserPermission> getUserPermissions(final byte[] tableName) throws IOException {
// only allowed to be called on _acl_ region
if (aclRegion) {
- requirePermission(tableName, null, null, Action.ADMIN);
+ requirePermission("userPermissions", tableName, null, null, Action.ADMIN);
List<UserPermission> perms = AccessControlLists.getUserPermissions(
regionEnv.getConfiguration(), tableName);
@@ -1089,12 +1097,12 @@ public class AccessController extends Ba
}
}
- requirePermission(action, regionEnv, familyMap);
+ requirePermission("checkPermissions", action, regionEnv, familyMap);
}
} else {
for (Permission.Action action : permission.getActions()) {
- requirePermission(action);
+ requirePermission("checkPermissions", action);
}
}
}