hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject svn commit: r1348467 - in /hbase/branches/0.94/security/src: main/java/org/apache/hadoop/hbase/security/access/AccessController.java test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Date Sat, 09 Jun 2012 18:15:48 GMT
Author: apurtell
Date: Sat Jun  9 18:15:48 2012
New Revision: 1348467

URL: http://svn.apache.org/viewvc?rev=1348467&view=rev
Log:
HBASE-5372. Table mutation operations should check table level rights (Laxman)

Modified:
    hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
    hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java

Modified: hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java?rev=1348467&r1=1348466&r2=1348467&view=diff
==============================================================================
--- hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
(original)
+++ hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
Sat Jun  9 18:15:48 2012
@@ -371,12 +371,33 @@ public class AccessController extends Ba
    * @throws IOException if obtaining the current user fails
    * @throws AccessDeniedException if authorization is denied
    */
-  private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
-      byte[] tableName) throws IOException {
-    if (isActiveUserTableOwner(e, tableName)) {
-      requirePermission(Permission.Action.CREATE);
+  private void requireTableAdminPermission(MasterCoprocessorEnvironment e, byte[] tableName)
+      throws IOException {
+    User user = getActiveUser();
+    AuthResult result = null;
+
+    // Table admins are allowed to perform DDL
+    if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.ADMIN))
{
+      result = AuthResult.allow("Table permission granted", user, TablePermission.Action.ADMIN,
+          tableName);
+    } else if (isActiveUserTableOwner(e, tableName)) {
+      // Table owners with Create permission are allowed to perform DDL
+      if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.CREATE))
{
+        result = AuthResult.allow("Owner has table permission", user,
+            TablePermission.Action.CREATE, tableName);
+      } else {
+        // Table owners without Create permission cannot perform DDL
+        result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.CREATE,
+            tableName);
+      }
     } else {
-      requirePermission(Permission.Action.ADMIN);
+      // rest of the world
+      result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.ADMIN,
+          tableName);
+    }
+    logResult(result);
+    if (!result.isAllowed()) {
+      throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
     }
   }
 

Modified: hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java?rev=1348467&r1=1348466&r2=1348467&view=diff
==============================================================================
--- hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
(original)
+++ hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Sat Jun  9 18:15:48 2012
@@ -80,6 +80,8 @@ public class TestAccessController {
   private static User USER_RW;
   // user with read-only permissions
   private static User USER_RO;
+  // user with table admin permissions
+  private static User USER_TBLADM;
   // user with no permissions
   private static User USER_NONE;
 
@@ -110,6 +112,7 @@ public class TestAccessController {
     USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
     USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]);
     USER_RO = User.createUserForTesting(conf, "rouser", new String[0]);
+    USER_TBLADM = User.createUserForTesting(conf, "tbladm", new String[0]);
     USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
 
     HBaseAdmin admin = TEST_UTIL.getHBaseAdmin();
@@ -132,6 +135,9 @@ public class TestAccessController {
 
     protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()),
                    TEST_TABLE, TEST_FAMILY, Permission.Action.READ));
+
+    protocol.grant(new UserPermission(Bytes.toBytes(USER_TBLADM.getShortName()),
+      TEST_TABLE, null, Permission.Action.ADMIN));    
   }
 
   @AfterClass
@@ -232,6 +238,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, modifyTable);
     verifyAllowed(USER_ADMIN, modifyTable);
+    verifyAllowed(USER_TBLADM, modifyTable);
   }
 
   @Test
@@ -252,6 +259,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, deleteTable);
     verifyAllowed(USER_ADMIN, deleteTable);
+    verifyAllowed(USER_TBLADM, deleteTable);
   }
 
   @Test
@@ -273,6 +281,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, action);
     verifyAllowed(USER_ADMIN, action);
+    verifyAllowed(USER_TBLADM, action);
   }
 
   @Test
@@ -295,6 +304,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, action);
     verifyAllowed(USER_ADMIN, action);
+    verifyAllowed(USER_TBLADM, action);
   }
 
   @Test
@@ -315,6 +325,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, action);
     verifyAllowed(USER_ADMIN, action);
+    verifyAllowed(USER_TBLADM, action);
   }
 
   @Test
@@ -335,6 +346,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, disableTable);
     verifyAllowed(USER_ADMIN, disableTable);
+    verifyAllowed(USER_TBLADM, disableTable);
   }
 
   @Test
@@ -355,6 +367,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, enableTable);
     verifyAllowed(USER_ADMIN, enableTable);
+    verifyAllowed(USER_TBLADM, enableTable);
   }
 
   @Test



Mime
View raw message