You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by te...@apache.org on 2012/04/18 20:20:46 UTC
svn commit: r1327605 - in /hbase/trunk/security/src:
main/java/org/apache/hadoop/hbase/security/access/AccessController.java
test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Author: tedyu
Date: Wed Apr 18 18:20:46 2012
New Revision: 1327605
URL: http://svn.apache.org/viewvc?rev=1327605&view=rev
Log:
HBASE-5787 Table owner can't disable/delete its own table (Matteo)
Modified:
hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Modified: hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1327605&r1=1327604&r2=1327605&view=diff
==============================================================================
--- hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (original)
+++ hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java Wed Apr 18 18:20:46 2012
@@ -505,7 +505,11 @@ public class AccessController extends Ba
@Override
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
- requirePermission(Permission.Action.CREATE);
+ if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+ requirePermission(Permission.Action.CREATE);
+ } else {
+ requirePermission(Permission.Action.ADMIN);
+ }
}
@Override
public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -555,8 +559,11 @@ public class AccessController extends Ba
@Override
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
- /* TODO: Allow for users with global CREATE permission and the table owner */
- requirePermission(Permission.Action.ADMIN);
+ if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+ requirePermission(Permission.Action.CREATE);
+ } else {
+ requirePermission(Permission.Action.ADMIN);
+ }
}
@Override
public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -565,8 +572,11 @@ public class AccessController extends Ba
@Override
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
- /* TODO: Allow for users with global CREATE permission and the table owner */
- requirePermission(Permission.Action.ADMIN);
+ if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+ requirePermission(Permission.Action.CREATE);
+ } else {
+ requirePermission(Permission.Action.ADMIN);
+ }
}
@Override
public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -1027,4 +1037,16 @@ public class AccessController extends Ba
}
return tableName;
}
+
+ private String getTableOwner(MasterCoprocessorEnvironment e,
+ byte[] tableName) throws IOException {
+ HTableDescriptor htd = e.getTable(tableName).getTableDescriptor();
+ return htd.getOwnerString();
+ }
+
+ private boolean isActiveUserTableOwner(MasterCoprocessorEnvironment e,
+ byte[] tableName) throws IOException {
+ String activeUser = getActiveUser().getShortName();
+ return activeUser.equals(getTableOwner(e, tableName));
+ }
}
Modified: hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java?rev=1327605&r1=1327604&r2=1327605&view=diff
==============================================================================
--- hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java (original)
+++ hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java Wed Apr 18 18:20:46 2012
@@ -205,7 +205,7 @@ public class TestAccessController {
@Test
public void testTableModify() throws Exception {
- PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
+ PrivilegedExceptionAction modifyTable = new PrivilegedExceptionAction() {
public Object run() throws Exception {
HTableDescriptor htd = new HTableDescriptor(TEST_TABLE);
htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
@@ -216,18 +216,18 @@ public class TestAccessController {
};
// all others should be denied
- verifyDenied(USER_OWNER, disableTable);
- verifyDenied(USER_RW, disableTable);
- verifyDenied(USER_RO, disableTable);
- verifyDenied(USER_NONE, disableTable);
+ verifyDenied(USER_OWNER, modifyTable);
+ verifyDenied(USER_RW, modifyTable);
+ verifyDenied(USER_RO, modifyTable);
+ verifyDenied(USER_NONE, modifyTable);
// verify that superuser can create tables
- verifyAllowed(SUPERUSER, disableTable);
+ verifyAllowed(SUPERUSER, modifyTable);
}
@Test
public void testTableDelete() throws Exception {
- PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
+ PrivilegedExceptionAction deleteTable = new PrivilegedExceptionAction() {
public Object run() throws Exception {
ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE);
return null;
@@ -235,13 +235,13 @@ public class TestAccessController {
};
// all others should be denied
- verifyDenied(USER_OWNER, disableTable);
- verifyDenied(USER_RW, disableTable);
- verifyDenied(USER_RO, disableTable);
- verifyDenied(USER_NONE, disableTable);
+ verifyDenied(USER_OWNER, deleteTable);
+ verifyDenied(USER_RW, deleteTable);
+ verifyDenied(USER_RO, deleteTable);
+ verifyDenied(USER_NONE, deleteTable);
// verify that superuser can create tables
- verifyAllowed(SUPERUSER, disableTable);
+ verifyAllowed(SUPERUSER, deleteTable);
}
@Test