You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by st...@apache.org on 2020/05/01 18:59:09 UTC
[hbase] branch branch-2.2 updated: [HBASE-24288]Allow admin user to
create table and do bulkLoad (#1612)
This is an automated email from the ASF dual-hosted git repository.
stack pushed a commit to branch branch-2.2
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2.2 by this push:
new ac51f5e [HBASE-24288]Allow admin user to create table and do bulkLoad (#1612)
ac51f5e is described below
commit ac51f5ee6fd2898ac26ebf10948a43df5628b108
Author: xincunSong <36...@qq.com>
AuthorDate: Sat May 2 02:57:33 2020 +0800
[HBASE-24288]Allow admin user to create table and do bulkLoad (#1612)
Signed-off-by: Guangxu Cheng <gx...@apache.org>
Signed-off-by: binlijin <bi...@gmail.com>
---
.../hadoop/hbase/security/access/AccessController.java | 13 ++++++++-----
.../hbase/security/access/TestAccessController.java | 16 +++++++---------
.../hbase/security/access/TestAccessController3.java | 6 +++---
.../hbase/security/access/TestNamespaceCommands.java | 11 ++++++-----
4 files changed, 24 insertions(+), 22 deletions(-)
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 314c6ba..ab8a7e7 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -762,7 +762,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
familyMap.put(family, null);
}
requireNamespacePermission(c, "createTable",
- desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE);
+ desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.ADMIN,
+ Action.CREATE);
}
@Override
@@ -1900,7 +1901,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
}
/**
- * Verifies user has CREATE privileges on
+ * Verifies user has CREATE or ADMIN privileges on
* the Column Families involved in the bulkLoadHFile
* request. Specific Column Write privileges are presently
* ignored.
@@ -1912,7 +1913,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
for(Pair<byte[],String> el : familyPaths) {
accessChecker.requirePermission(user, "preBulkLoadHFile",
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null,
- null, Action.CREATE);
+ null, Action.ADMIN, Action.CREATE);
}
}
@@ -1926,7 +1927,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
requireAccess(ctx, "prePrepareBulkLoad",
- ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
+ ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
+ Action.CREATE);
}
/**
@@ -1939,7 +1941,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
requireAccess(ctx, "preCleanupBulkLoad",
- ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
+ ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
+ Action.CREATE);
}
/* ---- EndpointObserver implementation ---- */
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 2ce2642..06a45af 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -400,11 +400,11 @@ public class TestAccessController extends SecureTestUtil {
};
// verify that superuser can create tables
- verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
+ verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
// all others should be denied
- verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
- USER_GROUP_READ, USER_GROUP_WRITE);
+ verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
}
@Test
@@ -1001,9 +1001,8 @@ public class TestAccessController extends SecureTestUtil {
// User performing bulk loads must have privilege to read table metadata
// (ADMIN or CREATE)
verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
- USER_GROUP_CREATE);
- verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
- USER_GROUP_ADMIN);
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE);
} finally {
// Reinit after the bulk upload
TEST_UTIL.getAdmin().disableTable(TEST_TABLE);
@@ -2886,9 +2885,8 @@ public class TestAccessController extends SecureTestUtil {
private void verifyAnyCreate(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
- USER_GROUP_CREATE);
- verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
- USER_GROUP_ADMIN);
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
index 7b10e3f..1336b30 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
@@ -291,11 +291,11 @@ public class TestAccessController3 extends SecureTestUtil {
};
// verify that superuser can create tables
- verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
+ verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
// all others should be denied
- verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
- USER_GROUP_READ, USER_GROUP_WRITE);
+ verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
}
}
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 15577aa..9e696fd 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -517,10 +517,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
- //createTable : superuser | global(C) | NS(C)
- verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
- verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
- USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
- USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
+ //createTable : superuser | global(AC) | NS(AC)
+ verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE,
+ USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(createTable, USER_GLOBAL_WRITE, USER_GLOBAL_READ, USER_GLOBAL_EXEC,
+ USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_TABLE_CREATE, USER_TABLE_WRITE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
}