You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@accumulo.apache.org by vi...@apache.org on 2012/01/10 18:23:13 UTC

svn commit: r1229646 - /incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java

Author: vines
Date: Tue Jan 10 17:23:13 2012
New Revision: 1229646

URL: http://svn.apache.org/viewvc?rev=1229646&view=rev
Log:
ACCUMULO-264 - merging to trunk


Modified:
    incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java

Modified: incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java
URL: http://svn.apache.org/viewvc/incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java?rev=1229646&r1=1229645&r2=1229646&view=diff
==============================================================================
--- incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java (original)
+++ incubator/accumulo/trunk/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java Tue Jan 10 17:23:13 2012
@@ -208,6 +208,15 @@ public final class ZKAuthenticator imple
     if (!hasSystemPermission(credentials, credentials.user, SystemPermission.CREATE_USER))
       throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.PERMISSION_DENIED);
     
+    if (!hasSystemPermission(credentials, credentials.user, SystemPermission.ALTER_USER)) {
+      Authorizations creatorAuths = getUserAuthorizations(credentials, credentials.user);
+      for (byte[] auth : authorizations.getAuthorizations())
+        if (!creatorAuths.contains(auth)) {
+          log.info("User " + credentials.user + " attempted to create a user " + user + " with authorization " + new String(auth) + " they did not have");
+          throw new AccumuloSecurityException(credentials.user, SecurityErrorCode.BAD_AUTHORIZATIONS);
+        }
+    }
+    
     // don't allow creating a user with the same name as system user
     if (user.equals(SecurityConstants.SYSTEM_USERNAME))
       throw new AccumuloSecurityException(user, SecurityErrorCode.PERMISSION_DENIED);