accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vi...@apache.org
Subject git commit: Revert "ACCUMULO-1479 Simplification of namespace support in SecurityOperation" Didn't mean to commit this
Date Tue, 28 Jan 2014 22:04:52 GMT
Updated Branches:
  refs/heads/1.6.0-SNAPSHOT 4cdd6d51a -> f382cd8bb


Revert "ACCUMULO-1479 Simplification of namespace support in SecurityOperation"
Didn't mean to commit this

This reverts commit 8cce1fdc3de13471f7dff00f7d18c7d78d8f968f.


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/f382cd8b
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/f382cd8b
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/f382cd8b

Branch: refs/heads/1.6.0-SNAPSHOT
Commit: f382cd8bb7b704b4b8f3197d7f0389d4053cfc31
Parents: 4cdd6d5
Author: John Vines <vines@apache.org>
Authored: Tue Jan 28 17:04:23 2014 -0500
Committer: John Vines <vines@apache.org>
Committed: Tue Jan 28 17:04:37 2014 -0500

----------------------------------------------------------------------
 .../core/security/NamespacePermission.java      |  67 ++-----
 .../security/AuditedSecurityOperation.java      |   4 +-
 .../server/security/SecurityOperation.java      | 177 +++++++++++--------
 .../accumulo/master/FateServiceHandler.java     |  12 +-
 .../accumulo/master/tableOps/CreateTable.java   |   8 +-
 .../test/randomwalk/security/CreateTable.java   |   2 +-
 .../org/apache/accumulo/test/NamespacesIT.java  |   3 +-
 7 files changed, 124 insertions(+), 149 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/core/src/main/java/org/apache/accumulo/core/security/NamespacePermission.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/accumulo/core/security/NamespacePermission.java
b/core/src/main/java/org/apache/accumulo/core/security/NamespacePermission.java
index f9f7564..1066bc4 100644
--- a/core/src/main/java/org/apache/accumulo/core/security/NamespacePermission.java
+++ b/core/src/main/java/org/apache/accumulo/core/security/NamespacePermission.java
@@ -23,20 +23,21 @@ import java.util.List;
  * Accumulo namespace permissions. Each permission has an associated byte ID.
  */
 public enum NamespacePermission {
-  // One may add new permissions, but new permissions must use new numbers. Current numbers
in use must not be changed.
+  /*
+   * One may add new permissions, but new permissions must use new numbers.
+   * Current numbers in use must not be changed.
+   */
   READ((byte) 0),
   WRITE((byte) 1),
   ALTER_NAMESPACE((byte) 2),
   GRANT((byte) 3),
   ALTER_TABLE((byte) 4),
   CREATE_TABLE((byte) 5),
-  DROP_TABLE((byte) 6), 
-  BULK_IMPORT((byte) 7), 
-  DROP_NAMESPACE((byte) 8);
+  DROP_TABLE((byte) 6);
 
   final private byte permID;
 
-  final private static NamespacePermission mapping[] = new NamespacePermission[9];
+  final private static NamespacePermission mapping[] = new NamespacePermission[8];
   static {
     for (NamespacePermission perm : NamespacePermission.values())
       mapping[perm.permID] = perm;
@@ -48,7 +49,7 @@ public enum NamespacePermission {
 
   /**
    * Gets the byte ID of this permission.
-   * 
+   *
    * @return byte ID
    */
   public byte getId() {
@@ -57,7 +58,7 @@ public enum NamespacePermission {
 
   /**
    * Returns a list of printable permission values.
-   * 
+   *
    * @return list of namespace permission values, as "Namespace." + permission name
    */
   public static List<String> printableValues() {
@@ -73,12 +74,10 @@ public enum NamespacePermission {
 
   /**
    * Gets the permission matching the given byte ID.
-   * 
-   * @param id
-   *          byte ID
+   *
+   * @param id byte ID
    * @return system permission
-   * @throws IndexOutOfBoundsException
-   *           if the byte ID is invalid
+   * @throws IndexOutOfBoundsException if the byte ID is invalid
    */
   public static NamespacePermission getPermissionById(byte id) {
     NamespacePermission result = mapping[id];
@@ -87,48 +86,4 @@ public enum NamespacePermission {
     throw new IndexOutOfBoundsException("No such permission");
   }
 
-  public static NamespacePermission getEquivalent(TablePermission permission) {
-    switch (permission) {
-      case READ:
-        return NamespacePermission.READ;
-      case WRITE:
-        return NamespacePermission.WRITE;
-      case ALTER_TABLE:
-        return NamespacePermission.ALTER_TABLE;
-      case GRANT:
-        return NamespacePermission.GRANT;
-      case DROP_TABLE:
-        return NamespacePermission.DROP_TABLE;
-      case BULK_IMPORT:
-        return NamespacePermission.BULK_IMPORT;
-      default:
-        return null;
-    }
-
-  }
-
-  public static NamespacePermission getEquivalent(SystemPermission permission) {
-    switch (permission) {
-      case CREATE_TABLE:
-        return NamespacePermission.CREATE_TABLE;
-      case DROP_TABLE:
-        return NamespacePermission.DROP_TABLE;
-      case ALTER_TABLE:
-        return NamespacePermission.ALTER_TABLE;
-      case ALTER_NAMESPACE:
-        return NamespacePermission.ALTER_NAMESPACE;
-      case DROP_NAMESPACE:
-        return NamespacePermission.DROP_NAMESPACE;
-      case GRANT:
-        return NamespacePermission.ALTER_NAMESPACE;
-      case CREATE_NAMESPACE:
-      case CREATE_USER:
-      case DROP_USER:
-      case ALTER_USER:
-      case SYSTEM:
-      default:
-        return null;
-    }
-  }
-
 }

http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/server/base/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
b/server/base/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
index 07492c6..bbfa71b 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
@@ -233,9 +233,9 @@ public class AuditedSecurityOperation extends SecurityOperation {
   public static final String CAN_CREATE_TABLE_AUDIT_TEMPLATE = "action: createTable; targetTable:
%s;";
 
   @Override
-  public boolean canCreateTable(TCredentials c, String tableName, String namespaceId) throws
ThriftSecurityException {
+  public boolean canCreateTable(TCredentials c, String tableName) throws ThriftSecurityException
{
     try {
-      boolean result = super.canCreateTable(c, tableName, namespaceId);
+      boolean result = super.canCreateTable(c, tableName);
       audit(c, result, CAN_CREATE_TABLE_AUDIT_TEMPLATE, tableName);
       return result;
     } catch (ThriftSecurityException ex) {

http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
index ad1fbc0..4b302f0 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
@@ -242,41 +242,15 @@ public class SecurityOperation {
     }
   }
 
-  private boolean hasSystemPermission(TCredentials credentials, SystemPermission permission,
boolean useCached) throws ThriftSecurityException {
-    return hasSystemPermissionWithNamespaceId(credentials, permission, null, useCached);
-  }
-
-  private boolean hasSystemPermissionWithTableId(TCredentials credentials, SystemPermission
permission, String tableId, boolean useCached)
-      throws ThriftSecurityException {
-    if (isSystemUser(credentials))
-      return true;
-    String namespaceId = null;
-    try {
-      namespaceId = Namespaces.getNamespaceId(HdfsZooInstance.getInstance(), Tables.getNamespace(HdfsZooInstance.getInstance(),
tableId));
-    } catch (NamespaceNotFoundException nnfe) {
-      // Don't care, we won't pay any attention to namespace permissions
-    }
-
-    return hasSystemPermissionWithNamespaceId(credentials, permission, namespaceId, useCached);
-  }
-
   /**
    * Checks if a user has a system permission
    * 
    * @return true if a user exists and has permission; false otherwise
    */
-  private boolean hasSystemPermissionWithNamespaceId(TCredentials credentials, SystemPermission
permission, String namespaceId, boolean useCached)
-      throws ThriftSecurityException {
+  private boolean hasSystemPermission(TCredentials credentials, SystemPermission permission,
boolean useCached) throws ThriftSecurityException {
     if (isSystemUser(credentials))
       return true;
-
-    if (_hasSystemPermission(credentials.getPrincipal(), permission, useCached))
-      return true;
-    if (namespaceId != null) {
-      return _hasNamespacePermission(credentials.getPrincipal(), namespaceId, NamespacePermission.getEquivalent(permission),
useCached);
-    }
-
-    return false;
+    return _hasSystemPermission(credentials.getPrincipal(), permission, useCached);
   }
 
   /**
@@ -308,9 +282,7 @@ public class SecurityOperation {
   protected boolean hasTablePermission(TCredentials credentials, String table, TablePermission
permission, boolean useCached) throws ThriftSecurityException {
     if (isSystemUser(credentials))
       return true;
-    return _hasTablePermission(credentials.getPrincipal(), table, permission, useCached)
-        || _hasNamespacePermission(credentials.getPrincipal(), Tables.getNamespace(HdfsZooInstance.getInstance(),
table),
-            NamespacePermission.getEquivalent(permission), useCached);
+    return _hasTablePermission(credentials.getPrincipal(), table, permission, useCached);
   }
 
   /**
@@ -337,15 +309,51 @@ public class SecurityOperation {
   }
 
   /**
+   * Checks if a user has a namespace permission
+   * 
+   * @return true if a user exists and has permission; false otherwise
+   */
+  protected boolean hasNamespacePermission(TCredentials credentials, String namespace, NamespacePermission
permission, boolean useCached)
+      throws ThriftSecurityException {
+    if (isSystemUser(credentials))
+      return true;
+    return _hasNamespacePermission(credentials.getPrincipal(), namespace, permission, useCached);
+  }
+
+  /**
+   * Checks if a user has a namespace permission given a tableId
+   * 
+   * @return true if a user exists and has permission; false otherwise
+   */
+  protected boolean hasNamespacePermissionForTableId(TCredentials credentials, String tableId,
NamespacePermission permission, boolean useCached)
+      throws ThriftSecurityException {
+    String namespace = Tables.getNamespace(HdfsZooInstance.getInstance(), tableId);
+    return hasNamespacePermission(credentials, namespace, permission, useCached);
+  }
+
+  /**
+   * Checks if a user has a namespace permission given a tableName
+   * 
+   * @return true if a user exists and has permission; false otherwise
+   */
+  protected boolean hasNamespacePermissionForTableName(TCredentials credentials, String tableName,
NamespacePermission permission, boolean useCached)
+      throws ThriftSecurityException {
+    String namespace = Tables.qualify(tableName).getFirst();
+    try {
+      String namespaceId = Namespaces.getNamespaceId(HdfsZooInstance.getInstance(), namespace);
+      return hasNamespacePermission(credentials, namespaceId, permission, useCached);
+    } catch (NamespaceNotFoundException e) {
+      throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.NAMESPACE_DOESNT_EXIST);
+    }
+  }
+
+  /**
    * Checks if a user has a namespace permission<br/>
    * This cannot check if a system user has permission.
    * 
    * @return true if a user exists and has permission; false otherwise
    */
   protected boolean _hasNamespacePermission(String user, String namespace, NamespacePermission
permission, boolean useCached) throws ThriftSecurityException {
-    if (permission == null)
-      return false;
-
     targetUserExists(user);
 
     if (namespace.equals(Namespaces.ACCUMULO_NAMESPACE_ID) && permission.equals(NamespacePermission.READ))
@@ -383,7 +391,8 @@ public class SecurityOperation {
 
   public boolean canScan(TCredentials credentials, String table) throws ThriftSecurityException
{
     authenticate(credentials);
-    return hasTablePermission(credentials, table, TablePermission.READ, true);
+    return hasTablePermission(credentials, table, TablePermission.READ, true)
+        || hasNamespacePermissionForTableId(credentials, table, NamespacePermission.READ,
true);
   }
 
   public boolean canScan(TCredentials credentials, String table, TRange range, List<TColumn>
columns, List<IterInfo> ssiList,
@@ -398,21 +407,25 @@ public class SecurityOperation {
 
   public boolean canWrite(TCredentials credentials, String table) throws ThriftSecurityException
{
     authenticate(credentials);
-    return hasTablePermission(credentials, table, TablePermission.WRITE, true);
+    return hasTablePermission(credentials, table, TablePermission.WRITE, true)
+        || hasNamespacePermissionForTableId(credentials, table, NamespacePermission.WRITE,
true);
   }
 
   public boolean canConditionallyUpdate(TCredentials credentials, String tableID, List<ByteBuffer>
authorizations) throws ThriftSecurityException {
 
     authenticate(credentials);
 
-    return hasTablePermission(credentials, tableID, TablePermission.WRITE, true) &&
hasTablePermission(credentials, tableID, TablePermission.READ, true);
+    return (hasTablePermission(credentials, tableID, TablePermission.WRITE, true) || hasNamespacePermissionForTableId(credentials,
tableID,
+        NamespacePermission.WRITE, true))
+        && (hasTablePermission(credentials, tableID, TablePermission.READ, true)
|| hasNamespacePermissionForTableId(credentials, tableID,
+            NamespacePermission.READ, true));
   }
 
-  public boolean canSplitTablet(TCredentials credentials, String tableId) throws ThriftSecurityException
{
+  public boolean canSplitTablet(TCredentials credentials, String table) throws ThriftSecurityException
{
     authenticate(credentials);
-    return hasSystemPermissionWithTableId(credentials, SystemPermission.ALTER_TABLE, tableId,
false)
-        || hasSystemPermissionWithTableId(credentials, SystemPermission.SYSTEM, tableId,
false)
-        || hasTablePermission(credentials, tableId, TablePermission.ALTER_TABLE, false);
+    return hasSystemPermission(credentials, SystemPermission.ALTER_TABLE, false) || hasSystemPermission(credentials,
SystemPermission.SYSTEM, false)
+        || hasTablePermission(credentials, table, TablePermission.ALTER_TABLE, false)
+        || hasNamespacePermissionForTableId(credentials, table, NamespacePermission.ALTER_TABLE,
false);
   }
 
   /**
@@ -425,53 +438,64 @@ public class SecurityOperation {
 
   public boolean canFlush(TCredentials c, String tableId) throws ThriftSecurityException
{
     authenticate(c);
-    return hasTablePermission(c, tableId, TablePermission.WRITE, false) || hasTablePermission(c,
tableId, TablePermission.ALTER_TABLE, false);
+    return hasTablePermission(c, tableId, TablePermission.WRITE, false) || hasTablePermission(c,
tableId, TablePermission.ALTER_TABLE, false)
+        || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE,
false)
+        || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.WRITE, false);
   }
 
   public boolean canAlterTable(TCredentials c, String tableId) throws ThriftSecurityException
{
     authenticate(c);
-    return hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false)
-        || hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, tableId, false);
+    return hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false) || hasSystemPermission(c,
SystemPermission.ALTER_TABLE, false)
+        || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE,
false);
   }
 
-  public boolean canCreateTable(TCredentials c, String table, String namespaceId) throws
ThriftSecurityException {
+  public boolean canCreateTable(TCredentials c, String tableName) throws ThriftSecurityException
{
     authenticate(c);
-    return hasSystemPermissionWithNamespaceId(c, SystemPermission.CREATE_TABLE, namespaceId,
false);
+    return hasNamespacePermissionForTableName(c, tableName, NamespacePermission.CREATE_TABLE,
false) || canCreateTable(c);
+  }
+
+  public boolean canCreateTable(TCredentials c) throws ThriftSecurityException {
+    authenticate(c);
+    return hasSystemPermission(c, SystemPermission.CREATE_TABLE, false);
   }
 
   public boolean canRenameTable(TCredentials c, String tableId, String oldTableName, String
newTableName) throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, tableId, false)
-        || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
+    return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c,
tableId, TablePermission.ALTER_TABLE, false)
+        || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE,
false);
   }
 
   public boolean canCloneTable(TCredentials c, String tableId, String tableName) throws ThriftSecurityException
{
     authenticate(c);
-    return hasSystemPermissionWithTableId(c, SystemPermission.CREATE_TABLE, tableId, false)
&& hasTablePermission(c, tableId, TablePermission.READ, false);
+    return (hasSystemPermission(c, SystemPermission.CREATE_TABLE, false) || hasNamespacePermissionForTableName(c,
tableName, NamespacePermission.CREATE_TABLE,
+        false))
+        && (hasTablePermission(c, tableId, TablePermission.READ, false) || hasNamespacePermissionForTableId(c,
tableId, NamespacePermission.READ, false));
   }
 
   public boolean canDeleteTable(TCredentials c, String tableId) throws ThriftSecurityException
{
     authenticate(c);
-    return hasSystemPermissionWithTableId(c, SystemPermission.DROP_TABLE, tableId, false)
|| hasTablePermission(c, tableId, TablePermission.DROP_TABLE, false);
+    return hasSystemPermission(c, SystemPermission.DROP_TABLE, false) || hasTablePermission(c,
tableId, TablePermission.DROP_TABLE, false)
+        || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.DROP_TABLE, false);
   }
 
   public boolean canOnlineOfflineTable(TCredentials c, String tableId, FateOperation op)
throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermissionWithTableId(c, SystemPermission.SYSTEM, tableId, false)
-        || hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, tableId, false)
-        || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
+    return hasSystemPermission(c, SystemPermission.SYSTEM, false) || hasSystemPermission(c,
SystemPermission.ALTER_TABLE, false)
+        || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false)
+        || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE,
false);
   }
 
   public boolean canMerge(TCredentials c, String tableId) throws ThriftSecurityException
{
     authenticate(c);
-    return hasSystemPermissionWithTableId(c, SystemPermission.SYSTEM, tableId, false)
-        || hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, tableId, false)
-        || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
+    return hasSystemPermission(c, SystemPermission.SYSTEM, false) || hasSystemPermission(c,
SystemPermission.ALTER_TABLE, false)
+        || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false)
+        || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.ALTER_TABLE,
false);
   }
 
   public boolean canDeleteRange(TCredentials c, String tableId, String tableName, Text startRow,
Text endRow) throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermissionWithTableId(c, SystemPermission.SYSTEM, tableId, false) ||
hasTablePermission(c, tableId, TablePermission.WRITE, false);
+    return hasSystemPermission(c, SystemPermission.SYSTEM, false) || hasTablePermission(c,
tableId, TablePermission.WRITE, false)
+        || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.WRITE, false);
   }
 
   public boolean canBulkImport(TCredentials c, String tableId, String tableName, String dir,
String failDir) throws ThriftSecurityException {
@@ -485,8 +509,9 @@ public class SecurityOperation {
 
   public boolean canCompact(TCredentials c, String tableId) throws ThriftSecurityException
{
     authenticate(c);
-    return hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, tableId, false)
-        || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false) || hasTablePermission(c,
tableId, TablePermission.WRITE, false);
+    return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c,
tableId, TablePermission.ALTER_TABLE, false)
+        || hasTablePermission(c, tableId, TablePermission.WRITE, false) || hasNamespacePermissionForTableId(c,
tableId, NamespacePermission.ALTER_TABLE, false)
+        || hasNamespacePermissionForTableId(c, tableId, NamespacePermission.WRITE, false);
   }
 
   public boolean canChangeAuthorizations(TCredentials c, String user) throws ThriftSecurityException
{
@@ -521,21 +546,13 @@ public class SecurityOperation {
 
   public boolean canGrantTable(TCredentials c, String user, String table) throws ThriftSecurityException
{
     authenticate(c);
-    return hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, table, false)
|| hasTablePermission(c, table, TablePermission.GRANT, false);
+    return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c,
table, TablePermission.GRANT, false)
+        || hasNamespacePermissionForTableId(c, table, NamespacePermission.ALTER_TABLE, false);
   }
 
   public boolean canGrantNamespace(TCredentials c, String user, String namespace) throws
ThriftSecurityException {
-    return canModifyNamespacePermission(c, user, namespace);
-  }
-
-  private boolean canModifyNamespacePermission(TCredentials c, String user, String namespace)
throws ThriftSecurityException {
     authenticate(c);
-    // The one case where Table/SystemPermission -> NamespacePermission breaks down. The
alternative is to make SystemPermission.ALTER_NAMESPACE provide
-    // NamespacePermission.GRANT & ALTER_NAMESPACE, but then it would cause some permission
checks to succeed with GRANT when they shouldn't
-    
-    // This is a bit hackier then I (vines) wanted, but I think this one hackiness makes
the overall SecurityOperations more succinct.
-    return hasSystemPermissionWithNamespaceId(c, SystemPermission.ALTER_NAMESPACE, namespace,
false)
-        || hasNamespacePermission(c, c.principal, namespace, NamespacePermission.GRANT);
+    return hasSystemPermission(c, SystemPermission.ALTER_NAMESPACE, false) || hasNamespacePermission(c,
namespace, NamespacePermission.GRANT, false);
   }
 
   public boolean canRevokeSystem(TCredentials c, String user, SystemPermission sysPerm) throws
ThriftSecurityException {
@@ -553,11 +570,13 @@ public class SecurityOperation {
 
   public boolean canRevokeTable(TCredentials c, String user, String table) throws ThriftSecurityException
{
     authenticate(c);
-    return hasSystemPermissionWithTableId(c, SystemPermission.ALTER_TABLE, table, false)
|| hasTablePermission(c, table, TablePermission.GRANT, false);
+    return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c,
table, TablePermission.GRANT, false)
+        || hasNamespacePermissionForTableId(c, table, NamespacePermission.ALTER_TABLE, false);
   }
 
   public boolean canRevokeNamespace(TCredentials c, String user, String namespace) throws
ThriftSecurityException {
-    return canModifyNamespacePermission(c, user, namespace);
+    authenticate(c);
+    return hasSystemPermission(c, SystemPermission.ALTER_NAMESPACE, false) || hasNamespacePermission(c,
namespace, NamespacePermission.GRANT, false);
   }
 
   public void changeAuthorizations(TCredentials credentials, String user, Authorizations
authorizations) throws ThriftSecurityException {
@@ -768,17 +787,20 @@ public class SecurityOperation {
 
   public boolean canExport(TCredentials credentials, String tableId, String tableName, String
exportDir) throws ThriftSecurityException {
     authenticate(credentials);
-    return hasTablePermission(credentials, tableId, TablePermission.READ, false);
+    return hasTablePermission(credentials, tableId, TablePermission.READ, false)
+        || hasNamespacePermissionForTableId(credentials, tableId, NamespacePermission.READ,
false);
   }
 
   public boolean canImport(TCredentials credentials, String tableName, String importDir)
throws ThriftSecurityException {
     authenticate(credentials);
-    return hasSystemPermissionWithNamespaceId(credentials, SystemPermission.CREATE_TABLE,
Tables.qualify(tableName).getFirst(), false);
+    return hasSystemPermission(credentials, SystemPermission.CREATE_TABLE, false)
+        || hasNamespacePermissionForTableName(credentials, tableName, NamespacePermission.CREATE_TABLE,
false);
   }
 
   public boolean canAlterNamespace(TCredentials credentials, String namespaceId) throws ThriftSecurityException
{
     authenticate(credentials);
-    return hasSystemPermissionWithNamespaceId(credentials, SystemPermission.ALTER_NAMESPACE,
namespaceId, false);
+    return hasNamespacePermission(credentials, namespaceId, NamespacePermission.ALTER_NAMESPACE,
false)
+        || hasSystemPermission(credentials, SystemPermission.ALTER_NAMESPACE, false);
   }
 
   public boolean canCreateNamespace(TCredentials credentials, String namespace) throws ThriftSecurityException
{
@@ -793,12 +815,13 @@ public class SecurityOperation {
 
   public boolean canDeleteNamespace(TCredentials credentials, String namespaceId) throws
ThriftSecurityException {
     authenticate(credentials);
-    return hasSystemPermissionWithNamespaceId(credentials, SystemPermission.DROP_NAMESPACE,
namespaceId, false);
+    return hasSystemPermission(credentials, SystemPermission.DROP_NAMESPACE, false);
   }
 
   public boolean canRenameNamespace(TCredentials credentials, String namespaceId, String
oldName, String newName) throws ThriftSecurityException {
     authenticate(credentials);
-    return hasSystemPermissionWithNamespaceId(credentials, SystemPermission.ALTER_NAMESPACE,
namespaceId, false);
+    return hasNamespacePermission(credentials, namespaceId, NamespacePermission.ALTER_NAMESPACE,
false)
+        || hasSystemPermission(credentials, SystemPermission.ALTER_NAMESPACE, false);
   }
 
 }

http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/server/master/src/main/java/org/apache/accumulo/master/FateServiceHandler.java
----------------------------------------------------------------------
diff --git a/server/master/src/main/java/org/apache/accumulo/master/FateServiceHandler.java
b/server/master/src/main/java/org/apache/accumulo/master/FateServiceHandler.java
index a0f1b01..afcda86 100644
--- a/server/master/src/main/java/org/apache/accumulo/master/FateServiceHandler.java
+++ b/server/master/src/main/java/org/apache/accumulo/master/FateServiceHandler.java
@@ -58,7 +58,6 @@ import org.apache.accumulo.master.tableOps.RenameTable;
 import org.apache.accumulo.master.tableOps.TableRangeOp;
 import org.apache.accumulo.master.tableOps.TraceRepo;
 import org.apache.accumulo.server.client.ClientServiceHandler;
-import org.apache.accumulo.server.client.HdfsZooInstance;
 import org.apache.accumulo.server.master.state.MergeInfo;
 import org.apache.accumulo.server.util.TablePropUtil;
 import org.apache.accumulo.trace.thrift.TInfo;
@@ -127,19 +126,14 @@ class FateServiceHandler implements FateService.Iface {
         String tableName = validateTableNameArgument(arguments.get(0), tableOp, Tables.NOT_SYSTEM);
         TimeType timeType = TimeType.valueOf(ByteBufferUtil.toString(arguments.get(1)));
 
-        String namespaceId;
+        if (!master.security.canCreateTable(c, tableName))
+          throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
 
         try {
-          namespaceId = Namespaces.getNamespaceId(HdfsZooInstance.getInstance(), Tables.qualify(tableName).getFirst());
+          master.fate.seedTransaction(opid, new TraceRepo<Master>(new CreateTable(c.getPrincipal(),
tableName, timeType, options)), autoCleanup);
         } catch (NamespaceNotFoundException e) {
           throw new ThriftTableOperationException(null, tableName, tableOp, TableOperationExceptionType.NAMESPACE_NOTFOUND,
"");
         }
-
-        if (!master.security.canCreateTable(c, tableName, namespaceId))
-          throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-
-        master.fate.seedTransaction(opid, new TraceRepo<Master>(new CreateTable(c.getPrincipal(),
tableName, timeType, options, namespaceId)), autoCleanup);
-
         break;
       }
       case TABLE_RENAME: {

http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/server/master/src/main/java/org/apache/accumulo/master/tableOps/CreateTable.java
----------------------------------------------------------------------
diff --git a/server/master/src/main/java/org/apache/accumulo/master/tableOps/CreateTable.java
b/server/master/src/main/java/org/apache/accumulo/master/tableOps/CreateTable.java
index 33ee878..9535781 100644
--- a/server/master/src/main/java/org/apache/accumulo/master/tableOps/CreateTable.java
+++ b/server/master/src/main/java/org/apache/accumulo/master/tableOps/CreateTable.java
@@ -22,7 +22,9 @@ import java.util.Map.Entry;
 
 import org.apache.accumulo.core.Constants;
 import org.apache.accumulo.core.client.Instance;
+import org.apache.accumulo.core.client.NamespaceNotFoundException;
 import org.apache.accumulo.core.client.admin.TimeType;
+import org.apache.accumulo.core.client.impl.Namespaces;
 import org.apache.accumulo.core.client.impl.Tables;
 import org.apache.accumulo.core.client.impl.thrift.TableOperation;
 import org.apache.accumulo.core.client.impl.thrift.ThriftSecurityException;
@@ -33,6 +35,7 @@ import org.apache.accumulo.fate.Repo;
 import org.apache.accumulo.fate.zookeeper.ZooUtil.NodeExistsPolicy;
 import org.apache.accumulo.master.Master;
 import org.apache.accumulo.server.ServerConstants;
+import org.apache.accumulo.server.client.HdfsZooInstance;
 import org.apache.accumulo.server.fs.VolumeManager;
 import org.apache.accumulo.server.security.AuditedSecurityOperation;
 import org.apache.accumulo.server.security.SecurityOperation;
@@ -276,13 +279,14 @@ public class CreateTable extends MasterRepo {
 
   private TableInfo tableInfo;
 
-  public CreateTable(String user, String tableName, TimeType timeType, Map<String,String>
props, String namespaceId) {
+  public CreateTable(String user, String tableName, TimeType timeType, Map<String,String>
props) throws NamespaceNotFoundException {
     tableInfo = new TableInfo();
     tableInfo.tableName = tableName;
     tableInfo.timeType = TabletTime.getTimeID(timeType);
     tableInfo.user = user;
     tableInfo.props = props;
-    tableInfo.namespaceId = namespaceId;
+    Instance inst = HdfsZooInstance.getInstance();
+    tableInfo.namespaceId = Namespaces.getNamespaceId(inst, Tables.qualify(tableInfo.tableName).getFirst());
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/test/src/main/java/org/apache/accumulo/test/randomwalk/security/CreateTable.java
----------------------------------------------------------------------
diff --git a/test/src/main/java/org/apache/accumulo/test/randomwalk/security/CreateTable.java
b/test/src/main/java/org/apache/accumulo/test/randomwalk/security/CreateTable.java
index 4c10b13..16310a5 100644
--- a/test/src/main/java/org/apache/accumulo/test/randomwalk/security/CreateTable.java
+++ b/test/src/main/java/org/apache/accumulo/test/randomwalk/security/CreateTable.java
@@ -36,7 +36,7 @@ public class CreateTable extends Test {
     String tableName = WalkingSecurity.get(state).getTableName();
     
     boolean exists = WalkingSecurity.get(state).getTableExists();
-    boolean hasPermission = WalkingSecurity.get(state).canCreateTable(WalkingSecurity.get(state).getSysCredentials(),
null, null);
+    boolean hasPermission = WalkingSecurity.get(state).canCreateTable(WalkingSecurity.get(state).getSysCredentials());
     
     try {
       conn.tableOperations().create(tableName);

http://git-wip-us.apache.org/repos/asf/accumulo/blob/f382cd8b/test/src/test/java/org/apache/accumulo/test/NamespacesIT.java
----------------------------------------------------------------------
diff --git a/test/src/test/java/org/apache/accumulo/test/NamespacesIT.java b/test/src/test/java/org/apache/accumulo/test/NamespacesIT.java
index 6915c96..addb377 100644
--- a/test/src/test/java/org/apache/accumulo/test/NamespacesIT.java
+++ b/test/src/test/java/org/apache/accumulo/test/NamespacesIT.java
@@ -560,7 +560,7 @@ public class NamespacesIT extends SimpleMacIT {
     c.securityOperations().createLocalUser(u1, pass);
 
     Connector user1Con = c.getInstance().getConnector(u1, pass);
-    
+
     try {
       user1Con.tableOperations().create(t2);
       fail();
@@ -680,7 +680,6 @@ public class NamespacesIT extends SimpleMacIT {
     user1Con.namespaceOperations().create(n2);
     c.securityOperations().revokeSystemPermission(u1, SystemPermission.CREATE_NAMESPACE);
 
-    c.securityOperations().revokeNamespacePermission(u1, n2, NamespacePermission.DROP_NAMESPACE);
     try {
       user1Con.namespaceOperations().delete(n2);
       fail();


Mime
View raw message