You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ap...@apache.org on 2012/06/09 20:15:33 UTC
svn commit: r1348466 - in /hbase/trunk/hbase-server/src:
main/java/org/apache/hadoop/hbase/security/access/AccessController.java
test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Author: apurtell
Date: Sat Jun 9 18:15:33 2012
New Revision: 1348466
URL: http://svn.apache.org/viewvc?rev=1348466&view=rev
Log:
HBASE-5372. Table mutation operations should check table level rights (Laxman)
Modified:
hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Modified: hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1348466&r1=1348465&r2=1348466&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (original)
+++ hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java Sat Jun 9 18:15:33 2012
@@ -372,12 +372,33 @@ public class AccessController extends Ba
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if authorization is denied
*/
- private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
- byte[] tableName) throws IOException {
- if (isActiveUserTableOwner(e, tableName)) {
- requirePermission(Permission.Action.CREATE);
+ private void requireTableAdminPermission(MasterCoprocessorEnvironment e, byte[] tableName)
+ throws IOException {
+ User user = getActiveUser();
+ AuthResult result = null;
+
+ // Table admins are allowed to perform DDL
+ if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.ADMIN)) {
+ result = AuthResult.allow("Table permission granted", user, TablePermission.Action.ADMIN,
+ tableName);
+ } else if (isActiveUserTableOwner(e, tableName)) {
+ // Table owners with Create permission are allowed to perform DDL
+ if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.CREATE)) {
+ result = AuthResult.allow("Owner has table permission", user,
+ TablePermission.Action.CREATE, tableName);
+ } else {
+ // Table owners without Create permission cannot perform DDL
+ result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.CREATE,
+ tableName);
+ }
} else {
- requirePermission(Permission.Action.ADMIN);
+ // rest of the world
+ result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.ADMIN,
+ tableName);
+ }
+ logResult(result);
+ if (!result.isAllowed()) {
+ throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
}
}
Modified: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java?rev=1348466&r1=1348465&r2=1348466&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java (original)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java Sat Jun 9 18:15:33 2012
@@ -80,6 +80,8 @@ public class TestAccessController {
private static User USER_RW;
// user with read-only permissions
private static User USER_RO;
+ // user with table admin permissions
+ private static User USER_TBLADM;
// user with no permissions
private static User USER_NONE;
@@ -110,6 +112,7 @@ public class TestAccessController {
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]);
USER_RO = User.createUserForTesting(conf, "rouser", new String[0]);
+ USER_TBLADM = User.createUserForTesting(conf, "tbladm", new String[0]);
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
HBaseAdmin admin = TEST_UTIL.getHBaseAdmin();
@@ -132,6 +135,9 @@ public class TestAccessController {
protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()),
TEST_TABLE, TEST_FAMILY, Permission.Action.READ));
+
+ protocol.grant(new UserPermission(Bytes.toBytes(USER_TBLADM.getShortName()),
+ TEST_TABLE, null, Permission.Action.ADMIN));
}
@AfterClass
@@ -232,6 +238,7 @@ public class TestAccessController {
// verify that superuser can create tables
verifyAllowed(SUPERUSER, modifyTable);
verifyAllowed(USER_ADMIN, modifyTable);
+ verifyAllowed(USER_TBLADM, modifyTable);
}
@Test
@@ -252,6 +259,7 @@ public class TestAccessController {
// verify that superuser can create tables
verifyAllowed(SUPERUSER, deleteTable);
verifyAllowed(USER_ADMIN, deleteTable);
+ verifyAllowed(USER_TBLADM, deleteTable);
}
@Test
@@ -273,6 +281,7 @@ public class TestAccessController {
// verify that superuser can create tables
verifyAllowed(SUPERUSER, action);
verifyAllowed(USER_ADMIN, action);
+ verifyAllowed(USER_TBLADM, action);
}
@Test
@@ -295,6 +304,7 @@ public class TestAccessController {
// verify that superuser can create tables
verifyAllowed(SUPERUSER, action);
verifyAllowed(USER_ADMIN, action);
+ verifyAllowed(USER_TBLADM, action);
}
@Test
@@ -315,6 +325,7 @@ public class TestAccessController {
// verify that superuser can create tables
verifyAllowed(SUPERUSER, action);
verifyAllowed(USER_ADMIN, action);
+ verifyAllowed(USER_TBLADM, action);
}
@Test
@@ -335,6 +346,7 @@ public class TestAccessController {
// verify that superuser can create tables
verifyAllowed(SUPERUSER, disableTable);
verifyAllowed(USER_ADMIN, disableTable);
+ verifyAllowed(USER_TBLADM, disableTable);
}
@Test
@@ -355,6 +367,7 @@ public class TestAccessController {
// verify that superuser can create tables
verifyAllowed(SUPERUSER, enableTable);
verifyAllowed(USER_ADMIN, enableTable);
+ verifyAllowed(USER_TBLADM, enableTable);
}
@Test