hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From te...@apache.org
Subject svn commit: r1327605 - in /hbase/trunk/security/src: main/java/org/apache/hadoop/hbase/security/access/AccessController.java test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Date Wed, 18 Apr 2012 18:20:46 GMT
Author: tedyu
Date: Wed Apr 18 18:20:46 2012
New Revision: 1327605

URL: http://svn.apache.org/viewvc?rev=1327605&view=rev
Log:
HBASE-5787 Table owner can't disable/delete its own table (Matteo)

Modified:
    hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
    hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java

Modified: hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1327605&r1=1327604&r2=1327605&view=diff
==============================================================================
--- hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
(original)
+++ hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Wed Apr 18 18:20:46 2012
@@ -505,7 +505,11 @@ public class AccessController extends Ba
   @Override
   public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName) throws IOException {
-    requirePermission(Permission.Action.CREATE);
+    if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+      requirePermission(Permission.Action.CREATE);
+    } else {
+      requirePermission(Permission.Action.ADMIN);
+    }
   }
   @Override
   public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -555,8 +559,11 @@ public class AccessController extends Ba
   @Override
   public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName) throws IOException {
-    /* TODO: Allow for users with global CREATE permission and the table owner */
-    requirePermission(Permission.Action.ADMIN);
+    if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+      requirePermission(Permission.Action.CREATE);
+    } else {
+      requirePermission(Permission.Action.ADMIN);
+    }
   }
   @Override
   public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -565,8 +572,11 @@ public class AccessController extends Ba
   @Override
   public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName) throws IOException {
-    /* TODO: Allow for users with global CREATE permission and the table owner */
-    requirePermission(Permission.Action.ADMIN);
+    if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+      requirePermission(Permission.Action.CREATE);
+    } else {
+      requirePermission(Permission.Action.ADMIN);
+    }
   }
   @Override
   public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -1027,4 +1037,16 @@ public class AccessController extends Ba
     }
     return tableName;
   }
+
+  private String getTableOwner(MasterCoprocessorEnvironment e, 
+      byte[] tableName) throws IOException {
+    HTableDescriptor htd = e.getTable(tableName).getTableDescriptor();
+    return htd.getOwnerString();
+  }
+
+  private boolean isActiveUserTableOwner(MasterCoprocessorEnvironment e,
+      byte[] tableName) throws IOException {
+    String activeUser = getActiveUser().getShortName();
+    return activeUser.equals(getTableOwner(e, tableName));
+  }
 }

Modified: hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java?rev=1327605&r1=1327604&r2=1327605&view=diff
==============================================================================
--- hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
(original)
+++ hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Wed Apr 18 18:20:46 2012
@@ -205,7 +205,7 @@ public class TestAccessController {
 
   @Test
   public void testTableModify() throws Exception {
-    PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
+    PrivilegedExceptionAction modifyTable = new PrivilegedExceptionAction() {
       public Object run() throws Exception {
         HTableDescriptor htd = new HTableDescriptor(TEST_TABLE);
         htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
@@ -216,18 +216,18 @@ public class TestAccessController {
     };
 
     // all others should be denied
-    verifyDenied(USER_OWNER, disableTable);
-    verifyDenied(USER_RW, disableTable);
-    verifyDenied(USER_RO, disableTable);
-    verifyDenied(USER_NONE, disableTable);
+    verifyDenied(USER_OWNER, modifyTable);
+    verifyDenied(USER_RW, modifyTable);
+    verifyDenied(USER_RO, modifyTable);
+    verifyDenied(USER_NONE, modifyTable);
 
     // verify that superuser can create tables
-    verifyAllowed(SUPERUSER, disableTable);
+    verifyAllowed(SUPERUSER, modifyTable);
   }
 
   @Test
   public void testTableDelete() throws Exception {
-    PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
+    PrivilegedExceptionAction deleteTable = new PrivilegedExceptionAction() {
       public Object run() throws Exception {
         ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null),
TEST_TABLE);
         return null;
@@ -235,13 +235,13 @@ public class TestAccessController {
     };
 
     // all others should be denied
-    verifyDenied(USER_OWNER, disableTable);
-    verifyDenied(USER_RW, disableTable);
-    verifyDenied(USER_RO, disableTable);
-    verifyDenied(USER_NONE, disableTable);
+    verifyDenied(USER_OWNER, deleteTable);
+    verifyDenied(USER_RW, deleteTable);
+    verifyDenied(USER_RO, deleteTable);
+    verifyDenied(USER_NONE, deleteTable);
 
     // verify that superuser can create tables
-    verifyAllowed(SUPERUSER, disableTable);
+    verifyAllowed(SUPERUSER, deleteTable);
   }
 
   @Test



Mime
View raw message