hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From te...@apache.org
Subject svn commit: r1327758 - in /hbase/branches/0.92: CHANGES.txt security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Date Thu, 19 Apr 2012 00:44:35 GMT
Author: tedyu
Date: Thu Apr 19 00:44:34 2012
New Revision: 1327758

URL: http://svn.apache.org/viewvc?rev=1327758&view=rev
Log:
HBASE-5787 Table owner can't disable/delete its own table (Matteo)

Modified:
    hbase/branches/0.92/CHANGES.txt
    hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
    hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java

Modified: hbase/branches/0.92/CHANGES.txt
URL: http://svn.apache.org/viewvc/hbase/branches/0.92/CHANGES.txt?rev=1327758&r1=1327757&r2=1327758&view=diff
==============================================================================
--- hbase/branches/0.92/CHANGES.txt (original)
+++ hbase/branches/0.92/CHANGES.txt Thu Apr 19 00:44:34 2012
@@ -42,6 +42,7 @@ Release 0.92.2 - Unreleased
    HBASE-5793  TestHBaseFsck#TestNoHdfsTable test hangs after client retries increased
    HBASE-5780  Fix race in HBase regionserver startup vs ZK SASL authentication (Shaneal
Manek)
    HBASE-5823  HBASE-5823 Hbck should be able to print help (Enis Soztutar)
+   HBASE-5787  Table owner can't disable/delete its own table (Matteo)
 
   IMPROVEMENTS
    HBASE-5592  Make it easier to get a table from shell (Ben West)

Modified: hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1327758&r1=1327757&r2=1327758&view=diff
==============================================================================
--- hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
(original)
+++ hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Thu Apr 19 00:44:34 2012
@@ -505,7 +505,11 @@ public class AccessController extends Ba
   @Override
   public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName) throws IOException {
-    requirePermission(Permission.Action.CREATE);
+    if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+      requirePermission(Permission.Action.CREATE);
+    } else {
+      requirePermission(Permission.Action.ADMIN);
+    }
   }
   @Override
   public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -555,8 +559,11 @@ public class AccessController extends Ba
   @Override
   public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName) throws IOException {
-    /* TODO: Allow for users with global CREATE permission and the table owner */
-    requirePermission(Permission.Action.ADMIN);
+    if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+      requirePermission(Permission.Action.CREATE);
+    } else {
+      requirePermission(Permission.Action.ADMIN);
+    }
   }
   @Override
   public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -565,8 +572,11 @@ public class AccessController extends Ba
   @Override
   public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName) throws IOException {
-    /* TODO: Allow for users with global CREATE permission and the table owner */
-    requirePermission(Permission.Action.ADMIN);
+    if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
+      requirePermission(Permission.Action.CREATE);
+    } else {
+      requirePermission(Permission.Action.ADMIN);
+    }
   }
   @Override
   public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -1027,4 +1037,16 @@ public class AccessController extends Ba
     }
     return tableName;
   }
+
+  private String getTableOwner(MasterCoprocessorEnvironment e, 
+      byte[] tableName) throws IOException {
+    HTableDescriptor htd = e.getTable(tableName).getTableDescriptor();
+    return htd.getOwnerString();
+  }
+
+  private boolean isActiveUserTableOwner(MasterCoprocessorEnvironment e,
+      byte[] tableName) throws IOException {
+    String activeUser = getActiveUser().getShortName();
+    return activeUser.equals(getTableOwner(e, tableName));
+  }
 }

Modified: hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java?rev=1327758&r1=1327757&r2=1327758&view=diff
==============================================================================
--- hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
(original)
+++ hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Thu Apr 19 00:44:34 2012
@@ -202,7 +202,7 @@ public class TestAccessController {
 
   @Test
   public void testTableModify() throws Exception {
-    PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
+    PrivilegedExceptionAction modifyTable = new PrivilegedExceptionAction() {
       public Object run() throws Exception {
         HTableDescriptor htd = new HTableDescriptor(TEST_TABLE);
         htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
@@ -213,18 +213,18 @@ public class TestAccessController {
     };
 
     // all others should be denied
-    verifyDenied(USER_OWNER, disableTable);
-    verifyDenied(USER_RW, disableTable);
-    verifyDenied(USER_RO, disableTable);
-    verifyDenied(USER_NONE, disableTable);
+    verifyDenied(USER_OWNER, modifyTable);
+    verifyDenied(USER_RW, modifyTable);
+    verifyDenied(USER_RO, modifyTable);
+    verifyDenied(USER_NONE, modifyTable);
 
     // verify that superuser can create tables
-    verifyAllowed(SUPERUSER, disableTable);
+    verifyAllowed(SUPERUSER, modifyTable);
   }
 
   @Test
   public void testTableDelete() throws Exception {
-    PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
+    PrivilegedExceptionAction deleteTable = new PrivilegedExceptionAction() {
       public Object run() throws Exception {
         ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null),
TEST_TABLE);
         return null;
@@ -232,13 +232,13 @@ public class TestAccessController {
     };
 
     // all others should be denied
-    verifyDenied(USER_OWNER, disableTable);
-    verifyDenied(USER_RW, disableTable);
-    verifyDenied(USER_RO, disableTable);
-    verifyDenied(USER_NONE, disableTable);
+    verifyDenied(USER_OWNER, deleteTable);
+    verifyDenied(USER_RW, deleteTable);
+    verifyDenied(USER_RO, deleteTable);
+    verifyDenied(USER_NONE, deleteTable);
 
     // verify that superuser can create tables
-    verifyAllowed(SUPERUSER, disableTable);
+    verifyAllowed(SUPERUSER, deleteTable);
   }
 
   @Test



Mime
View raw message