You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by te...@apache.org on 2012/04/19 02:44:35 UTC
svn commit: r1327758 - in /hbase/branches/0.92: CHANGES.txt
security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Author: tedyu
Date: Thu Apr 19 00:44:34 2012
New Revision: 1327758
URL: http://svn.apache.org/viewvc?rev=1327758&view=rev
Log:
HBASE-5787 Table owner can't disable/delete its own table (Matteo)
Modified:
hbase/branches/0.92/CHANGES.txt
hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Modified: hbase/branches/0.92/CHANGES.txt
URL: http://svn.apache.org/viewvc/hbase/branches/0.92/CHANGES.txt?rev=1327758&r1=1327757&r2=1327758&view=diff
==============================================================================
--- hbase/branches/0.92/CHANGES.txt (original)
+++ hbase/branches/0.92/CHANGES.txt Thu Apr 19 00:44:34 2012
@@ -42,6 +42,7 @@ Release 0.92.2 - Unreleased
HBASE-5793 TestHBaseFsck#TestNoHdfsTable test hangs after client retries increased
HBASE-5780 Fix race in HBase regionserver startup vs ZK SASL authentication (Shaneal Manek)
HBASE-5823 HBASE-5823 Hbck should be able to print help (Enis Soztutar)
+ HBASE-5787 Table owner can't disable/delete its own table (Matteo)
IMPROVEMENTS
HBASE-5592 Make it easier to get a table from shell (Ben West)
Modified: hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1327758&r1=1327757&r2=1327758&view=diff
==============================================================================
--- hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (original)
+++ hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java Thu Apr 19 00:44:34 2012
@@ -505,7 +505,11 @@ public class AccessController extends Ba
@Override
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
- requirePermission(Permission.Action.CREATE);
+ if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+ requirePermission(Permission.Action.CREATE);
+ } else {
+ requirePermission(Permission.Action.ADMIN);
+ }
}
@Override
public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -555,8 +559,11 @@ public class AccessController extends Ba
@Override
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
- /* TODO: Allow for users with global CREATE permission and the table owner */
- requirePermission(Permission.Action.ADMIN);
+ if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+ requirePermission(Permission.Action.CREATE);
+ } else {
+ requirePermission(Permission.Action.ADMIN);
+ }
}
@Override
public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -565,8 +572,11 @@ public class AccessController extends Ba
@Override
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
- /* TODO: Allow for users with global CREATE permission and the table owner */
- requirePermission(Permission.Action.ADMIN);
+ if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+ requirePermission(Permission.Action.CREATE);
+ } else {
+ requirePermission(Permission.Action.ADMIN);
+ }
}
@Override
public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -1027,4 +1037,16 @@ public class AccessController extends Ba
}
return tableName;
}
+
+ private String getTableOwner(MasterCoprocessorEnvironment e,
+ byte[] tableName) throws IOException {
+ HTableDescriptor htd = e.getTable(tableName).getTableDescriptor();
+ return htd.getOwnerString();
+ }
+
+ private boolean isActiveUserTableOwner(MasterCoprocessorEnvironment e,
+ byte[] tableName) throws IOException {
+ String activeUser = getActiveUser().getShortName();
+ return activeUser.equals(getTableOwner(e, tableName));
+ }
}
Modified: hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java?rev=1327758&r1=1327757&r2=1327758&view=diff
==============================================================================
--- hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java (original)
+++ hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java Thu Apr 19 00:44:34 2012
@@ -202,7 +202,7 @@ public class TestAccessController {
@Test
public void testTableModify() throws Exception {
- PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
+ PrivilegedExceptionAction modifyTable = new PrivilegedExceptionAction() {
public Object run() throws Exception {
HTableDescriptor htd = new HTableDescriptor(TEST_TABLE);
htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
@@ -213,18 +213,18 @@ public class TestAccessController {
};
// all others should be denied
- verifyDenied(USER_OWNER, disableTable);
- verifyDenied(USER_RW, disableTable);
- verifyDenied(USER_RO, disableTable);
- verifyDenied(USER_NONE, disableTable);
+ verifyDenied(USER_OWNER, modifyTable);
+ verifyDenied(USER_RW, modifyTable);
+ verifyDenied(USER_RO, modifyTable);
+ verifyDenied(USER_NONE, modifyTable);
// verify that superuser can create tables
- verifyAllowed(SUPERUSER, disableTable);
+ verifyAllowed(SUPERUSER, modifyTable);
}
@Test
public void testTableDelete() throws Exception {
- PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
+ PrivilegedExceptionAction deleteTable = new PrivilegedExceptionAction() {
public Object run() throws Exception {
ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE);
return null;
@@ -232,13 +232,13 @@ public class TestAccessController {
};
// all others should be denied
- verifyDenied(USER_OWNER, disableTable);
- verifyDenied(USER_RW, disableTable);
- verifyDenied(USER_RO, disableTable);
- verifyDenied(USER_NONE, disableTable);
+ verifyDenied(USER_OWNER, deleteTable);
+ verifyDenied(USER_RW, deleteTable);
+ verifyDenied(USER_RO, deleteTable);
+ verifyDenied(USER_NONE, deleteTable);
// verify that superuser can create tables
- verifyAllowed(SUPERUSER, disableTable);
+ verifyAllowed(SUPERUSER, deleteTable);
}
@Test