You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by te...@apache.org on 2012/05/22 01:23:36 UTC
svn commit: r1341267 -
/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Author: tedyu
Date: Mon May 21 23:23:35 2012
New Revision: 1341267
URL: http://svn.apache.org/viewvc?rev=1341267&view=rev
Log:
HBASE-6061 Fix ACL "Admin" Table inconsistent permission check (Matteo Bertozzi)
Modified:
hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Modified: hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1341267&r1=1341266&r2=1341267&view=diff
==============================================================================
--- hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (original)
+++ hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java Mon May 21 23:23:35 2012
@@ -362,6 +362,25 @@ public class AccessController extends Ba
}
/**
+ * Authorizes that the current user has "admin" privileges for the given table.
+ * that means he/she can edit/modify/delete the table.
+ * If current user is the table owner, and has CREATE permission,
+ * then he/she has table admin permission. otherwise ADMIN rights are checked.
+ * @param e Master coprocessor environment
+ * @param tableName Table requested
+ * @throws IOException if obtaining the current user fails
+ * @throws AccessDeniedException if authorization is denied
+ */
+ private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
+ byte[] tableName) throws IOException {
+ if (isActiveUserTableOwner(e, tableName)) {
+ requirePermission(Permission.Action.CREATE);
+ } else {
+ requirePermission(Permission.Action.ADMIN);
+ }
+ }
+
+ /**
* Authorizes that the current user has global privileges for the given action.
* @param perm The action being requested
* @throws IOException if obtaining the current user fails
@@ -513,11 +532,7 @@ public class AccessController extends Ba
@Override
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
- if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
- requirePermission(Permission.Action.CREATE);
- } else {
- requirePermission(Permission.Action.ADMIN);
- }
+ requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -528,7 +543,7 @@ public class AccessController extends Ba
@Override
public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName, HTableDescriptor htd) throws IOException {
- requirePermission(Permission.Action.CREATE);
+ requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -538,7 +553,7 @@ public class AccessController extends Ba
@Override
public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName, HColumnDescriptor column) throws IOException {
- requirePermission(Permission.Action.CREATE);
+ requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void postAddColumn(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -547,7 +562,7 @@ public class AccessController extends Ba
@Override
public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName, HColumnDescriptor descriptor) throws IOException {
- requirePermission(Permission.Action.CREATE);
+ requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void postModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -557,7 +572,7 @@ public class AccessController extends Ba
@Override
public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName, byte[] col) throws IOException {
- requirePermission(Permission.Action.CREATE);
+ requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void postDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -569,11 +584,7 @@ public class AccessController extends Ba
@Override
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
- if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
- requirePermission(Permission.Action.CREATE);
- } else {
- requirePermission(Permission.Action.ADMIN);
- }
+ requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -582,11 +593,7 @@ public class AccessController extends Ba
@Override
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
- if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
- requirePermission(Permission.Action.CREATE);
- } else {
- requirePermission(Permission.Action.ADMIN);
- }
+ requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,