You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by vi...@apache.org on 2014/01/28 23:57:20 UTC
[3/8] git commit: Revert "ACCUMULO-1479 Simplification of namespace
support in SecurityOperation" Didn't mean to commit this
Revert "ACCUMULO-1479 Simplification of namespace support in SecurityOperation"
Didn't mean to commit this
This reverts commit 8cce1fdc3de13471f7dff00f7d18c7d78d8f968f.
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/f382cd8b
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/f382cd8b
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/f382cd8b
Branch: refs/heads/master
Commit: f382cd8bb7b704b4b8f3197d7f0389d4053cfc31
Parents: 4cdd6d5
Author: John Vines <vi...@apache.org>
Authored: Tue Jan 28 17:04:23 2014 -0500
Committer: John Vines <vi...@apache.org>
Committed: Tue Jan 28 17:04:37 2014 -0500
----------------------------------------------------------------------
.../core/security/NamespacePermission.java | 67 ++-----
.../security/AuditedSecurityOperation.java | 4 +-
.../server/security/SecurityOperation.java | 177 +++++++++++--------
.../accumulo/master/FateServiceHandler.java | 12 +-
.../accumulo/master/tableOps/CreateTable.java | 8 +-
.../test/randomwalk/security/CreateTable.java | 2 +-
.../org/apache/accumulo/test/NamespacesIT.java | 3 +-
7 files changed, 124 insertions(+), 149 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/core/src/main/java/org/apache/accumulo/core/security/NamespacePermission.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/accumulo/core/security/NamespacePermission.java b/core/src/main/java/org/apache/accumulo/core/security/NamespacePermission.java
index f9f7564..1066bc4 100644
--- a/core/src/main/java/org/apache/accumulo/core/security/NamespacePermission.java
+++ b/core/src/main/java/org/apache/accumulo/core/security/NamespacePermission.java
@@ -23,20 +23,21 @@ import java.util.List;
* Accumulo namespace permissions. Each permission has an associated byte ID.
*/
public enum NamespacePermission {
- // One may add new permissions, but new permissions must use new numbers. Current numbers in use must not be changed.
+ /*
+ * One may add new permissions, but new permissions must use new numbers.
+ * Current numbers in use must not be changed.
+ */
READ((byte) 0),
WRITE((byte) 1),
ALTER_NAMESPACE((byte) 2),
GRANT((byte) 3),
ALTER_TABLE((byte) 4),
CREATE_TABLE((byte) 5),
- DROP_TABLE((byte) 6),
- BULK_IMPORT((byte) 7),
- DROP_NAMESPACE((byte) 8);
+ DROP_TABLE((byte) 6);
final private byte permID;
- final private static NamespacePermission mapping[] = new NamespacePermission[9];
+ final private static NamespacePermission mapping[] = new NamespacePermission[8];
static {
for (NamespacePermission perm : NamespacePermission.values())
mapping[perm.permID] = perm;
@@ -48,7 +49,7 @@ public enum NamespacePermission {
/**
* Gets the byte ID of this permission.
- *
+ *
* @return byte ID
*/
public byte getId() {
@@ -57,7 +58,7 @@ public enum NamespacePermission {
/**
* Returns a list of printable permission values.
- *
+ *
* @return list of namespace permission values, as "Namespace." + permission name
*/
public static List<String> printableValues() {
@@ -73,12 +74,10 @@ public enum NamespacePermission {
/**
* Gets the permission matching the given byte ID.
- *
- * @param id
- * byte ID
+ *
+ * @param id byte ID
* @return system permission
- * @throws IndexOutOfBoundsException
- * if the byte ID is invalid
+ * @throws IndexOutOfBoundsException if the byte ID is invalid
*/
public static NamespacePermission getPermissionById(byte id) {
NamespacePermission result = mapping[id];
@@ -87,48 +86,4 @@ public enum NamespacePermission {
throw new IndexOutOfBoundsException("No such permission");
}
- public static NamespacePermission getEquivalent(TablePermission permission) {
- switch (permission) {
- case READ:
- return NamespacePermission.READ;
- case WRITE:
- return NamespacePermission.WRITE;
- case ALTER_TABLE:
- return NamespacePermission.ALTER_TABLE;
- case GRANT:
- return NamespacePermission.GRANT;
- case DROP_TABLE:
- return NamespacePermission.DROP_TABLE;
- case BULK_IMPORT:
- return NamespacePermission.BULK_IMPORT;
- default:
- return null;
- }
-
- }
-
- public static NamespacePermission getEquivalent(SystemPermission permission) {
- switch (permission) {
- case CREATE_TABLE:
- return NamespacePermission.CREATE_TABLE;
- case DROP_TABLE:
- return NamespacePermission.DROP_TABLE;
- case ALTER_TABLE:
- return NamespacePermission.ALTER_TABLE;
- case ALTER_NAMESPACE:
- return NamespacePermission.ALTER_NAMESPACE;
- case DROP_NAMESPACE:
- return NamespacePermission.DROP_NAMESPACE;
- case GRANT:
- return NamespacePermission.ALTER_NAMESPACE;
- case CREATE_NAMESPACE:
- case CREATE_USER:
- case DROP_USER:
- case ALTER_USER:
- case SYSTEM:
- default:
- return null;
- }
- }
-
}
http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/server/base/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java b/server/base/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
index 07492c6..bbfa71b 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
@@ -233,9 +233,9 @@ public class AuditedSecurityOperation extends SecurityOperation {
public static final String CAN_CREATE_TABLE_AUDIT_TEMPLATE = "action: createTable; targetTable: %s;";
@Override
- public boolean canCreateTable(TCredentials c, String tableName, String namespaceId) throws ThriftSecurityException {
+ public boolean canCreateTable(TCredentials c, String tableName) throws ThriftSecurityException {
try {
- boolean result = super.canCreateTable(c, tableName, namespaceId);
+ boolean result = super.canCreateTable(c, tableName);
audit(c, result, CAN_CREATE_TABLE_AUDIT_TEMPLATE, tableName);
return result;
} catch (ThriftSecurityException ex) {
http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
index ad1fbc0..4b302f0 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
@@ -242,41 +242,15 @@ public class SecurityOperation {
}
}
- private boolean hasSystemPermission(TCredentials credentials, SystemPermission permission, boolean useCached) throws ThriftSecurityException {
- return hasSystemPermissionWithNamespaceId(credentials, permission, null, useCached);
- }
-
- private boolean hasSystemPermissionWithTableId(TCredentials credentials, SystemPermission permission, String tableId, boolean useCached)
- throws ThriftSecurityException {
- if (isSystemUser(credentials))
- return true;
- String namespaceId = null;
- try {
- namespaceId = Namespaces.getNamespaceId(HdfsZooInstance.getInstance(), Tables.getNamespace(HdfsZooInstance.getInstance(), tableId));
- } catch (NamespaceNotFoundException nnfe) {
- // Don't care, we won't pay any attention to namespace permissions
- }
-
- return hasSystemPermissionWithNamespaceId(credentials, permission, namespaceId, useCached);
- }
-
/**
* Checks if a user has a system permission
*
* @return true if a user exists and has permission; false otherwise
*/
- private boolean hasSystemPermissionWithNamespaceId(TCredentials credentials, SystemPermission permission, String namespaceId, boolean useCached)
- throws ThriftSecurityException {
+ private boolean hasSystemPermission(TCredentials credentials, SystemPermission permission, boolean useCached) throws ThriftSecurityException {
if (isSystemUser(credentials))
return true;
-
- if (_hasSystemPermission(credentials.getPrincipal(), permission, useCached))
- return true;
- if (namespaceId != null) {
- return _hasNamespacePermission(credentials.getPrincipal(), namespaceId, NamespacePermission.getEquivalent(permission), useCached);
- }
-
- return false;
+ return _hasSystemPermission(credentials.getPrincipal(), permission, useCached);
}
/**
@@ -308,9 +282,7 @@ public class SecurityOperation {
protected boolean hasTablePermission(TCredentials credentials, String table, TablePermission permission, boolean useCached) throws ThriftSecurityException {
if (isSystemUser(credentials))
return true;
- return _hasTablePermission(credentials.getPrincipal(), table, permission, useCached)
- || _hasNamespacePermission(credentials.getPrincipal(), Tables.getNamespace(HdfsZooInstance.getInstance(), table),
- NamespacePermission.getEquivalent(permission), useCached);
+ return _hasTablePermission(credentials.getPrincipal(), table, permission, useCached);
}
/**
@@ -337,15 +309,51 @@ public class SecurityOperation {
}
/**
+ * Checks if a user has a namespace permission
+ *
+ * @return true if a user exists and has permission; false otherwise
+ */
+ protected boolean hasNamespacePermission(TCredentials credentials, String namespace, NamespacePermission permission, boolean useCached)
+ throws ThriftSecurityException {
+ if (isSystemUser(credentials))
+ return true;
+ return _hasNamespacePermission(credentials.getPrincipal(), namespace, permission, useCached);
+ }
+
+ /**
+ * Checks if a user has a namespace permission given a tableId
+ *
+ * @return true if a user exists and has permission; false otherwise
+ */
+ protected boolean hasNamespacePermissionForTableId(TCredentials credentials, String tableId, NamespacePermission permission, boolean useCached)
+ throws ThriftSecurityException {
+ String namespace = Tables.getNamespace(HdfsZooInstance.getInstance(), tableId);
+ return hasNamespacePermission(credentials, namespace, permission, useCached);
+ }
+
+ /**
+ * Checks if a user has a namespace permission given a tableName
+ *
+ * @return true if a user exists and has permission; false otherwise
+ */
+ protected boolean hasNamespacePermissionForTableName(TCredentials credentials, String tableName, NamespacePermission permission, boolean useCached)
+ throws ThriftSecurityException {
+ String namespace = Tables.qualify(tableName).getFirst();
+ try {
+ String namespaceId = Namespaces.getNamespaceId(HdfsZooInstance.getInstance(), namespace);
+ return hasNamespacePermission(credentials, namespaceId, permission, useCached);
+ } catch (NamespaceNotFoundException e) {
+ throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.NAMESPACE_DOESNT_EXIST);
+ }
+ }
+
+ /**
* Checks if a user has a namespace permission<br/>
* This cannot check if a system user has permission.
*
* @return true if a user exists and has permission; false otherwise
*/
protected boolean _hasNamespacePermission(String user, String namespace, NamespacePermission permission, boolean useCached) throws ThriftSecurityException {
- if (permission == null)
- return false;
-
targetUserExists(user);
if (namespace.equals(Namespaces.ACCUMULO_NAMESPACE_ID) && permission.equals(NamespacePermission.READ))
@@ -383,7 +391,8 @@ public class SecurityOperation {
public boolean canScan(TCredentials credentials, String table) throws ThriftSecurityException {
authenticate(credentials);
- return hasTablePermission(credentials, table, TablePermission.READ, true);
+ return hasTablePermission(credentials, table, TablePermission.READ, true)
+ || hasNamespacePermissionForTableId(credentials, table, NamespacePermission.READ, true);
}
public boolean canScan(TCredentials credentials, String table, TRange range, List<TColumn> columns, List<IterInfo> ssiList,
@@ -398,21 +407,25 @@ public class SecurityOperation {
public boolean canWrite(TCredentials credentials, String table) throws ThriftSecurityException {
authenticate(credentials);
- return hasTablePermission(credentials, table, TablePermission.WRITE, true);
+ return hasTablePermission(credentials, table, TablePermission.WRITE, true)
+ || hasNamespacePermissionForTableId(credentials, table, NamespacePermission.WRITE, true);
}
public boolean canConditionallyUpdate(TCredentials credentials, String tableID, List<ByteBuffer> authorizations) throws ThriftSecurityException {
authenticate(credentials);
- return hasTablePermission(credentials, tableID, TablePermission.WRITE, true) && hasTablePermission(credentials, tableID, TablePermission.READ, true);
+ return (hasTablePermission(credentials, tableID, TablePermission.WRITE, true) || hasNamespacePermissionForTableId(credentials, tableID,
+ NamespacePermission.WRITE, true))
+ && (hasTablePermission(credentials, tableID, TablePermission.READ, true) || hasNamespacePermissionForTableId(credentials, tableID,
+ NamespacePermission.READ, true));
}
- public boolean canSplitTablet(TCredentials credentials, String tableId) throws ThriftSecurityException {
+ public boolean canSplitTablet(TCredentials credentials, String table) throws ThriftSecurityException {
authenticate(credentials);
- return hasSystemPermissionWithTableId(credentials, SystemPermission.ALTER_TABLE, tableId, false)
- || hasSystemPermissionWithTableId(credentials, SystemPermission.SYSTEM, tableId, false)
- || hasTablePermission(credentials, tableId, TablePermission.ALTER_TABLE, false);
+ return hasSystemPermission(credentials, SystemPermission.ALTER_TABLE, false) || hasSystemPermission(credentials, SystemPermission.SYSTEM, false)
+ || hasTablePermission(credentials, table, TablePermission.ALTER_TABLE, false)
+ || hasNamespacePermissionForTableId(credentials, table, NamespacePermission.ALTER_TABLE, false);
}
/**
@@ -425,53 +438,64 @@ public class SecurityOperation {
public boolean canFlush(TCredentials c, String tableId) throws ThriftSecurityException {
authenticate(c);
- return hasTablePermission(c, tableId, TablePermission.WRITE, false) || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
+ return hasTablePermission(c, tableId, TablePermission.WRITE, false) || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false)
+ || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE, false)
+ || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.WRITE, false);
}
public boolean canAlterTable(TCredentials c, String tableId) throws ThriftSecurityException {
authenticate(c);
- return hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false)
- || hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, tableId, false);
+ return hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false) || hasSystemPermission(c, SystemPermission.ALTER_TABLE, false)
+ || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE, false);
}
- public boolean canCreateTable(TCredentials c, String table, String namespaceId) throws ThriftSecurityException {
+ public boolean canCreateTable(TCredentials c, String tableName) throws ThriftSecurityException {
authenticate(c);
- return hasSystemPermissionWithNamespaceId(c, SystemPermission.CREATE_TABLE, namespaceId, false);
+ return hasNamespacePermissionForTableName(c, tableName, NamespacePermission.CREATE_TABLE, false) || canCreateTable(c);
+ }
+
+ public boolean canCreateTable(TCredentials c) throws ThriftSecurityException {
+ authenticate(c);
+ return hasSystemPermission(c, SystemPermission.CREATE_TABLE, false);
}
public boolean canRenameTable(TCredentials c, String tableId, String oldTableName, String newTableName) throws ThriftSecurityException {
authenticate(c);
- return hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, tableId, false)
- || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
+ return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false)
+ || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE, false);
}
public boolean canCloneTable(TCredentials c, String tableId, String tableName) throws ThriftSecurityException {
authenticate(c);
- return hasSystemPermissionWithTableId(c, SystemPermission.CREATE_TABLE, tableId, false) && hasTablePermission(c, tableId, TablePermission.READ, false);
+ return (hasSystemPermission(c, SystemPermission.CREATE_TABLE, false) || hasNamespacePermissionForTableName(c, tableName, NamespacePermission.CREATE_TABLE,
+ false))
+ && (hasTablePermission(c, tableId, TablePermission.READ, false) || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.READ, false));
}
public boolean canDeleteTable(TCredentials c, String tableId) throws ThriftSecurityException {
authenticate(c);
- return hasSystemPermissionWithTableId(c, SystemPermission.DROP_TABLE, tableId, false) || hasTablePermission(c, tableId, TablePermission.DROP_TABLE, false);
+ return hasSystemPermission(c, SystemPermission.DROP_TABLE, false) || hasTablePermission(c, tableId, TablePermission.DROP_TABLE, false)
+ || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.DROP_TABLE, false);
}
public boolean canOnlineOfflineTable(TCredentials c, String tableId, FateOperation op) throws ThriftSecurityException {
authenticate(c);
- return hasSystemPermissionWithTableId(c, SystemPermission.SYSTEM, tableId, false)
- || hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, tableId, false)
- || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
+ return hasSystemPermission(c, SystemPermission.SYSTEM, false) || hasSystemPermission(c, SystemPermission.ALTER_TABLE, false)
+ || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false)
+ || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE, false);
}
public boolean canMerge(TCredentials c, String tableId) throws ThriftSecurityException {
authenticate(c);
- return hasSystemPermissionWithTableId(c, SystemPermission.SYSTEM, tableId, false)
- || hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, tableId, false)
- || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
+ return hasSystemPermission(c, SystemPermission.SYSTEM, false) || hasSystemPermission(c, SystemPermission.ALTER_TABLE, false)
+ || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false)
+ || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE, false);
}
public boolean canDeleteRange(TCredentials c, String tableId, String tableName, Text startRow, Text endRow) throws ThriftSecurityException {
authenticate(c);
- return hasSystemPermissionWithTableId(c, SystemPermission.SYSTEM, tableId, false) || hasTablePermission(c, tableId, TablePermission.WRITE, false);
+ return hasSystemPermission(c, SystemPermission.SYSTEM, false) || hasTablePermission(c, tableId, TablePermission.WRITE, false)
+ || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.WRITE, false);
}
public boolean canBulkImport(TCredentials c, String tableId, String tableName, String dir, String failDir) throws ThriftSecurityException {
@@ -485,8 +509,9 @@ public class SecurityOperation {
public boolean canCompact(TCredentials c, String tableId) throws ThriftSecurityException {
authenticate(c);
- return hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, tableId, false)
- || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false) || hasTablePermission(c, tableId, TablePermission.WRITE, false);
+ return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false)
+ || hasTablePermission(c, tableId, TablePermission.WRITE, false) || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE, false)
+ || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.WRITE, false);
}
public boolean canChangeAuthorizations(TCredentials c, String user) throws ThriftSecurityException {
@@ -521,21 +546,13 @@ public class SecurityOperation {
public boolean canGrantTable(TCredentials c, String user, String table) throws ThriftSecurityException {
authenticate(c);
- return hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, table, false) || hasTablePermission(c, table, TablePermission.GRANT, false);
+ return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c, table, TablePermission.GRANT, false)
+ || hasNamespacePermissionForTableId(c, table, NamespacePermission.ALTER_TABLE, false);
}
public boolean canGrantNamespace(TCredentials c, String user, String namespace) throws ThriftSecurityException {
- return canModifyNamespacePermission(c, user, namespace);
- }
-
- private boolean canModifyNamespacePermission(TCredentials c, String user, String namespace) throws ThriftSecurityException {
authenticate(c);
- // The one case where Table/SystemPermission -> NamespacePermission breaks down. The alternative is to make SystemPermission.ALTER_NAMESPACE provide
- // NamespacePermission.GRANT & ALTER_NAMESPACE, but then it would cause some permission checks to succeed with GRANT when they shouldn't
-
- // This is a bit hackier then I (vines) wanted, but I think this one hackiness makes the overall SecurityOperations more succinct.
- return hasSystemPermissionWithNamespaceId(c, SystemPermission.ALTER_NAMESPACE, namespace, false)
- || hasNamespacePermission(c, c.principal, namespace, NamespacePermission.GRANT);
+ return hasSystemPermission(c, SystemPermission.ALTER_NAMESPACE, false) || hasNamespacePermission(c, namespace, NamespacePermission.GRANT, false);
}
public boolean canRevokeSystem(TCredentials c, String user, SystemPermission sysPerm) throws ThriftSecurityException {
@@ -553,11 +570,13 @@ public class SecurityOperation {
public boolean canRevokeTable(TCredentials c, String user, String table) throws ThriftSecurityException {
authenticate(c);
- return hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, table, false) || hasTablePermission(c, table, TablePermission.GRANT, false);
+ return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c, table, TablePermission.GRANT, false)
+ || hasNamespacePermissionForTableId(c, table, NamespacePermission.ALTER_TABLE, false);
}
public boolean canRevokeNamespace(TCredentials c, String user, String namespace) throws ThriftSecurityException {
- return canModifyNamespacePermission(c, user, namespace);
+ authenticate(c);
+ return hasSystemPermission(c, SystemPermission.ALTER_NAMESPACE, false) || hasNamespacePermission(c, namespace, NamespacePermission.GRANT, false);
}
public void changeAuthorizations(TCredentials credentials, String user, Authorizations authorizations) throws ThriftSecurityException {
@@ -768,17 +787,20 @@ public class SecurityOperation {
public boolean canExport(TCredentials credentials, String tableId, String tableName, String exportDir) throws ThriftSecurityException {
authenticate(credentials);
- return hasTablePermission(credentials, tableId, TablePermission.READ, false);
+ return hasTablePermission(credentials, tableId, TablePermission.READ, false)
+ || hasNamespacePermissionForTableId(credentials, tableId, NamespacePermission.READ, false);
}
public boolean canImport(TCredentials credentials, String tableName, String importDir) throws ThriftSecurityException {
authenticate(credentials);
- return hasSystemPermissionWithNamespaceId(credentials, SystemPermission.CREATE_TABLE, Tables.qualify(tableName).getFirst(), false);
+ return hasSystemPermission(credentials, SystemPermission.CREATE_TABLE, false)
+ || hasNamespacePermissionForTableName(credentials, tableName, NamespacePermission.CREATE_TABLE, false);
}
public boolean canAlterNamespace(TCredentials credentials, String namespaceId) throws ThriftSecurityException {
authenticate(credentials);
- return hasSystemPermissionWithNamespaceId(credentials, SystemPermission.ALTER_NAMESPACE, namespaceId, false);
+ return hasNamespacePermission(credentials, namespaceId, NamespacePermission.ALTER_NAMESPACE, false)
+ || hasSystemPermission(credentials, SystemPermission.ALTER_NAMESPACE, false);
}
public boolean canCreateNamespace(TCredentials credentials, String namespace) throws ThriftSecurityException {
@@ -793,12 +815,13 @@ public class SecurityOperation {
public boolean canDeleteNamespace(TCredentials credentials, String namespaceId) throws ThriftSecurityException {
authenticate(credentials);
- return hasSystemPermissionWithNamespaceId(credentials, SystemPermission.DROP_NAMESPACE, namespaceId, false);
+ return hasSystemPermission(credentials, SystemPermission.DROP_NAMESPACE, false);
}
public boolean canRenameNamespace(TCredentials credentials, String namespaceId, String oldName, String newName) throws ThriftSecurityException {
authenticate(credentials);
- return hasSystemPermissionWithNamespaceId(credentials, SystemPermission.ALTER_NAMESPACE, namespaceId, false);
+ return hasNamespacePermission(credentials, namespaceId, NamespacePermission.ALTER_NAMESPACE, false)
+ || hasSystemPermission(credentials, SystemPermission.ALTER_NAMESPACE, false);
}
}
http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/server/master/src/main/java/org/apache/accumulo/master/FateServiceHandler.java
----------------------------------------------------------------------
diff --git a/server/master/src/main/java/org/apache/accumulo/master/FateServiceHandler.java b/server/master/src/main/java/org/apache/accumulo/master/FateServiceHandler.java
index a0f1b01..afcda86 100644
--- a/server/master/src/main/java/org/apache/accumulo/master/FateServiceHandler.java
+++ b/server/master/src/main/java/org/apache/accumulo/master/FateServiceHandler.java
@@ -58,7 +58,6 @@ import org.apache.accumulo.master.tableOps.RenameTable;
import org.apache.accumulo.master.tableOps.TableRangeOp;
import org.apache.accumulo.master.tableOps.TraceRepo;
import org.apache.accumulo.server.client.ClientServiceHandler;
-import org.apache.accumulo.server.client.HdfsZooInstance;
import org.apache.accumulo.server.master.state.MergeInfo;
import org.apache.accumulo.server.util.TablePropUtil;
import org.apache.accumulo.trace.thrift.TInfo;
@@ -127,19 +126,14 @@ class FateServiceHandler implements FateService.Iface {
String tableName = validateTableNameArgument(arguments.get(0), tableOp, Tables.NOT_SYSTEM);
TimeType timeType = TimeType.valueOf(ByteBufferUtil.toString(arguments.get(1)));
- String namespaceId;
+ if (!master.security.canCreateTable(c, tableName))
+ throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
try {
- namespaceId = Namespaces.getNamespaceId(HdfsZooInstance.getInstance(), Tables.qualify(tableName).getFirst());
+ master.fate.seedTransaction(opid, new TraceRepo<Master>(new CreateTable(c.getPrincipal(), tableName, timeType, options)), autoCleanup);
} catch (NamespaceNotFoundException e) {
throw new ThriftTableOperationException(null, tableName, tableOp, TableOperationExceptionType.NAMESPACE_NOTFOUND, "");
}
-
- if (!master.security.canCreateTable(c, tableName, namespaceId))
- throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-
- master.fate.seedTransaction(opid, new TraceRepo<Master>(new CreateTable(c.getPrincipal(), tableName, timeType, options, namespaceId)), autoCleanup);
-
break;
}
case TABLE_RENAME: {
http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/server/master/src/main/java/org/apache/accumulo/master/tableOps/CreateTable.java
----------------------------------------------------------------------
diff --git a/server/master/src/main/java/org/apache/accumulo/master/tableOps/CreateTable.java b/server/master/src/main/java/org/apache/accumulo/master/tableOps/CreateTable.java
index 33ee878..9535781 100644
--- a/server/master/src/main/java/org/apache/accumulo/master/tableOps/CreateTable.java
+++ b/server/master/src/main/java/org/apache/accumulo/master/tableOps/CreateTable.java
@@ -22,7 +22,9 @@ import java.util.Map.Entry;
import org.apache.accumulo.core.Constants;
import org.apache.accumulo.core.client.Instance;
+import org.apache.accumulo.core.client.NamespaceNotFoundException;
import org.apache.accumulo.core.client.admin.TimeType;
+import org.apache.accumulo.core.client.impl.Namespaces;
import org.apache.accumulo.core.client.impl.Tables;
import org.apache.accumulo.core.client.impl.thrift.TableOperation;
import org.apache.accumulo.core.client.impl.thrift.ThriftSecurityException;
@@ -33,6 +35,7 @@ import org.apache.accumulo.fate.Repo;
import org.apache.accumulo.fate.zookeeper.ZooUtil.NodeExistsPolicy;
import org.apache.accumulo.master.Master;
import org.apache.accumulo.server.ServerConstants;
+import org.apache.accumulo.server.client.HdfsZooInstance;
import org.apache.accumulo.server.fs.VolumeManager;
import org.apache.accumulo.server.security.AuditedSecurityOperation;
import org.apache.accumulo.server.security.SecurityOperation;
@@ -276,13 +279,14 @@ public class CreateTable extends MasterRepo {
private TableInfo tableInfo;
- public CreateTable(String user, String tableName, TimeType timeType, Map<String,String> props, String namespaceId) {
+ public CreateTable(String user, String tableName, TimeType timeType, Map<String,String> props) throws NamespaceNotFoundException {
tableInfo = new TableInfo();
tableInfo.tableName = tableName;
tableInfo.timeType = TabletTime.getTimeID(timeType);
tableInfo.user = user;
tableInfo.props = props;
- tableInfo.namespaceId = namespaceId;
+ Instance inst = HdfsZooInstance.getInstance();
+ tableInfo.namespaceId = Namespaces.getNamespaceId(inst, Tables.qualify(tableInfo.tableName).getFirst());
}
@Override
http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/test/src/main/java/org/apache/accumulo/test/randomwalk/security/CreateTable.java
----------------------------------------------------------------------
diff --git a/test/src/main/java/org/apache/accumulo/test/randomwalk/security/CreateTable.java b/test/src/main/java/org/apache/accumulo/test/randomwalk/security/CreateTable.java
index 4c10b13..16310a5 100644
--- a/test/src/main/java/org/apache/accumulo/test/randomwalk/security/CreateTable.java
+++ b/test/src/main/java/org/apache/accumulo/test/randomwalk/security/CreateTable.java
@@ -36,7 +36,7 @@ public class CreateTable extends Test {
String tableName = WalkingSecurity.get(state).getTableName();
boolean exists = WalkingSecurity.get(state).getTableExists();
- boolean hasPermission = WalkingSecurity.get(state).canCreateTable(WalkingSecurity.get(state).getSysCredentials(), null, null);
+ boolean hasPermission = WalkingSecurity.get(state).canCreateTable(WalkingSecurity.get(state).getSysCredentials());
try {
conn.tableOperations().create(tableName);
http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/test/src/test/java/org/apache/accumulo/test/NamespacesIT.java
----------------------------------------------------------------------
diff --git a/test/src/test/java/org/apache/accumulo/test/NamespacesIT.java b/test/src/test/java/org/apache/accumulo/test/NamespacesIT.java
index 6915c96..addb377 100644
--- a/test/src/test/java/org/apache/accumulo/test/NamespacesIT.java
+++ b/test/src/test/java/org/apache/accumulo/test/NamespacesIT.java
@@ -560,7 +560,7 @@ public class NamespacesIT extends SimpleMacIT {
c.securityOperations().createLocalUser(u1, pass);
Connector user1Con = c.getInstance().getConnector(u1, pass);
-
+
try {
user1Con.tableOperations().create(t2);
fail();
@@ -680,7 +680,6 @@ public class NamespacesIT extends SimpleMacIT {
user1Con.namespaceOperations().create(n2);
c.securityOperations().revokeSystemPermission(u1, SystemPermission.CREATE_NAMESPACE);
- c.securityOperations().revokeNamespacePermission(u1, n2, NamespacePermission.DROP_NAMESPACE);
try {
user1Con.namespaceOperations().delete(n2);
fail();