You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by st...@apache.org on 2020/05/01 18:58:43 UTC
[hbase] branch branch-2.3 updated: [HBASE-24288]Allow admin user to
create table and do bulkLoad (#1612)
This is an automated email from the ASF dual-hosted git repository.
stack pushed a commit to branch branch-2.3
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2.3 by this push:
new 9d90287 [HBASE-24288]Allow admin user to create table and do bulkLoad (#1612)
9d90287 is described below
commit 9d90287b6d99debd231adf1d8932b562275247d0
Author: xincunSong <36...@qq.com>
AuthorDate: Sat May 2 02:57:33 2020 +0800
[HBASE-24288]Allow admin user to create table and do bulkLoad (#1612)
Signed-off-by: Guangxu Cheng <gx...@apache.org>
Signed-off-by: binlijin <bi...@gmail.com>
---
.../hadoop/hbase/security/access/AccessController.java | 13 ++++++++-----
.../hbase/security/access/TestAccessController.java | 16 +++++++---------
.../hbase/security/access/TestAccessController3.java | 6 +++---
.../hbase/security/access/TestNamespaceCommands.java | 11 ++++++-----
4 files changed, 24 insertions(+), 22 deletions(-)
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index c98fc11..5a23a5c 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -772,7 +772,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
familyMap.put(family, null);
}
requireNamespacePermission(c, "createTable",
- desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE);
+ desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.ADMIN,
+ Action.CREATE);
}
@Override
@@ -1916,7 +1917,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
}
/**
- * Verifies user has CREATE privileges on
+ * Verifies user has CREATE or ADMIN privileges on
* the Column Families involved in the bulkLoadHFile
* request. Specific Column Write privileges are presently
* ignored.
@@ -1928,7 +1929,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
for(Pair<byte[],String> el : familyPaths) {
accessChecker.requirePermission(user, "preBulkLoadHFile",
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null,
- null, Action.CREATE);
+ null, Action.ADMIN, Action.CREATE);
}
}
@@ -1942,7 +1943,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
requireAccess(ctx, "prePrepareBulkLoad",
- ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
+ ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
+ Action.CREATE);
}
/**
@@ -1955,7 +1957,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
requireAccess(ctx, "preCleanupBulkLoad",
- ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
+ ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
+ Action.CREATE);
}
/* ---- EndpointObserver implementation ---- */
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 1c9588c..1d6af1a 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -396,11 +396,11 @@ public class TestAccessController extends SecureTestUtil {
};
// verify that superuser can create tables
- verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
+ verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
// all others should be denied
- verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
- USER_GROUP_READ, USER_GROUP_WRITE);
+ verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
}
@Test
@@ -997,9 +997,8 @@ public class TestAccessController extends SecureTestUtil {
// User performing bulk loads must have privilege to read table metadata
// (ADMIN or CREATE)
verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
- USER_GROUP_CREATE);
- verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
- USER_GROUP_ADMIN);
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE);
} finally {
// Reinit after the bulk upload
TEST_UTIL.getAdmin().disableTable(TEST_TABLE);
@@ -2881,9 +2880,8 @@ public class TestAccessController extends SecureTestUtil {
private void verifyAnyCreate(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
- USER_GROUP_CREATE);
- verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
- USER_GROUP_ADMIN);
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
index e4a7e84..2920054 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
@@ -287,11 +287,11 @@ public class TestAccessController3 extends SecureTestUtil {
};
// verify that superuser can create tables
- verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
+ verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
// all others should be denied
- verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
- USER_GROUP_READ, USER_GROUP_WRITE);
+ verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
}
}
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 9faa3d9..dbb5bfd 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -523,10 +523,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
- //createTable : superuser | global(C) | NS(C)
- verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
- verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
- USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
- USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
+ //createTable : superuser | global(AC) | NS(AC)
+ verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE,
+ USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(createTable, USER_GLOBAL_WRITE, USER_GLOBAL_READ, USER_GLOBAL_EXEC,
+ USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_TABLE_CREATE, USER_TABLE_WRITE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
}