hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From te...@apache.org
Subject svn commit: r1341268 - in /hbase/branches/0.92: CHANGES.txt security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Date Mon, 21 May 2012 23:24:58 GMT
Author: tedyu
Date: Mon May 21 23:24:58 2012
New Revision: 1341268

URL: http://svn.apache.org/viewvc?rev=1341268&view=rev
Log:
HBASE-6061 Fix ACL "Admin" Table inconsistent permission check (Matteo Bertozzi)

Modified:
    hbase/branches/0.92/CHANGES.txt
    hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java

Modified: hbase/branches/0.92/CHANGES.txt
URL: http://svn.apache.org/viewvc/hbase/branches/0.92/CHANGES.txt?rev=1341268&r1=1341267&r2=1341268&view=diff
==============================================================================
--- hbase/branches/0.92/CHANGES.txt (original)
+++ hbase/branches/0.92/CHANGES.txt Mon May 21 23:24:58 2012
@@ -70,6 +70,7 @@ Release 0.92.2 - Unreleased
    HBASE-5920  New Compactions Logic can silently prevent user-initiated compactions from
occurring
                (Derek Wollenstein)
    HBASE-5757  TableInputFormat should handle as many errors as possible (Jan Lukavsky)
+   HBASE-6061  Fix ACL "Admin" Table inconsistent permission check (Matteo Bertozzi)
 
   IMPROVEMENTS
    HBASE-5592  Make it easier to get a table from shell (Ben West)

Modified: hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1341268&r1=1341267&r2=1341268&view=diff
==============================================================================
--- hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
(original)
+++ hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Mon May 21 23:24:58 2012
@@ -362,6 +362,25 @@ public class AccessController extends Ba
   }
 
   /**
+   * Authorizes that the current user has "admin" privileges for the given table.
+   * that means he/she can edit/modify/delete the table.
+   * If current user is the table owner, and has CREATE permission,
+   * then he/she has table admin permission. otherwise ADMIN rights are checked.
+   * @param e Master coprocessor environment
+   * @param tableName Table requested
+   * @throws IOException if obtaining the current user fails
+   * @throws AccessDeniedException if authorization is denied
+   */
+  private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
+      byte[] tableName) throws IOException {
+    if (isActiveUserTableOwner(e, tableName)) {
+      requirePermission(Permission.Action.CREATE);
+    } else {
+      requirePermission(Permission.Action.ADMIN);
+    }
+  }
+
+  /**
    * Authorizes that the current user has global privileges for the given action.
    * @param perm The action being requested
    * @throws IOException if obtaining the current user fails
@@ -513,11 +532,7 @@ public class AccessController extends Ba
   @Override
   public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName) throws IOException {
-    if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
-      requirePermission(Permission.Action.CREATE);
-    } else {
-      requirePermission(Permission.Action.ADMIN);
-    }
+    requireTableAdminPermission(c.getEnvironment(), tableName);
   }
   @Override
   public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -528,7 +543,7 @@ public class AccessController extends Ba
   @Override
   public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName, HTableDescriptor htd) throws IOException {
-    requirePermission(Permission.Action.CREATE);
+    requireTableAdminPermission(c.getEnvironment(), tableName);
   }
   @Override
   public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -538,7 +553,7 @@ public class AccessController extends Ba
   @Override
   public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName, HColumnDescriptor column) throws IOException {
-    requirePermission(Permission.Action.CREATE);
+    requireTableAdminPermission(c.getEnvironment(), tableName);
   }
   @Override
   public void postAddColumn(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -547,7 +562,7 @@ public class AccessController extends Ba
   @Override
   public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName, HColumnDescriptor descriptor) throws IOException {
-    requirePermission(Permission.Action.CREATE);
+    requireTableAdminPermission(c.getEnvironment(), tableName);
   }
   @Override
   public void postModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -557,7 +572,7 @@ public class AccessController extends Ba
   @Override
   public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName, byte[] col) throws IOException {
-    requirePermission(Permission.Action.CREATE);
+    requireTableAdminPermission(c.getEnvironment(), tableName);
   }
   @Override
   public void postDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -569,11 +584,7 @@ public class AccessController extends Ba
   @Override
   public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName) throws IOException {
-    if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
-      requirePermission(Permission.Action.CREATE);
-    } else {
-      requirePermission(Permission.Action.ADMIN);
-    }
+    requireTableAdminPermission(c.getEnvironment(), tableName);
   }
   @Override
   public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@@ -582,11 +593,7 @@ public class AccessController extends Ba
   @Override
   public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
       byte[] tableName) throws IOException {
-    if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
-      requirePermission(Permission.Action.CREATE);
-    } else {
-      requirePermission(Permission.Action.ADMIN);
-    }
+    requireTableAdminPermission(c.getEnvironment(), tableName);
   }
   @Override
   public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,



Mime
View raw message