Return-Path: 
 <commits-return-20242-apmail-hbase-commits-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-commits-archive@www.apache.org
Delivered-To: apmail-hbase-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id AFC2917226
	for <apmail-hbase-commits-archive@www.apache.org>;
 Tue, 30 Sep 2014 18:20:16 +0000 (UTC)
Received: (qmail 17437 invoked by uid 500); 30 Sep 2014 18:20:16 -0000
Delivered-To: apmail-hbase-commits-archive@hbase.apache.org
Received: (qmail 17392 invoked by uid 500); 30 Sep 2014 18:20:16 -0000
Mailing-List: contact commits-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@hbase.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@hbase.apache.org>
List-Post: <mailto:commits@hbase.apache.org>
List-Id: <commits.hbase.apache.org>
Reply-To: dev@hbase.apache.org
Delivered-To: mailing list commits@hbase.apache.org
Received: (qmail 17383 invoked by uid 99); 30 Sep 2014 18:20:16 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Sep 2014 18:20:16 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id EE559A04B4F; Tue, 30 Sep 2014 18:20:15 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: mbertozzi@apache.org
To: commits@hbase.apache.org
Date: Tue, 30 Sep 2014 18:20:15 -0000
Message-Id: <b4551dd0aa494cd0a5a9e15f652dd39e@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [1/3] git commit: HBASE-12098 User granted namespace table create
 permissions can't create a table (Srikanth Srungarapu)

Repository: hbase
Updated Branches:
  refs/heads/0.98 2968d385e -> 6570e0ed8
  refs/heads/branch-1 f719b57f7 -> 469bfdf95
  refs/heads/master 8d1a87fab -> 321a6085f


HBASE-12098 User granted namespace table create permissions can't create a table (Srikanth Srungarapu)


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/321a6085
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/321a6085
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/321a6085

Branch: refs/heads/master
Commit: 321a6085fb5ca65f91f3c67216d8994897c46019
Parents: 8d1a87f
Author: Matteo Bertozzi <matteo.bertozzi@cloudera.com>
Authored: Tue Sep 30 19:10:00 2014 +0100
Committer: Matteo Bertozzi <matteo.bertozzi@cloudera.com>
Committed: Tue Sep 30 19:10:00 2014 +0100

----------------------------------------------------------------------
 .../hbase/security/access/AccessController.java |  3 +-
 .../security/access/TestNamespaceCommands.java  | 37 +++++++++++++++++---
 2 files changed, 35 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/321a6085/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 96c912a..49aa7d7 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -487,7 +487,8 @@ public class AccessController extends BaseMasterAndRegionObserver
   private void requireGlobalPermission(String request, Action perm, TableName tableName,
       Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {
     User user = getActiveUser();
-    if (authManager.authorize(user, perm)) {
+    if (authManager.authorize(user, perm) || (tableName != null &&
+        authManager.authorize(user, tableName.getNamespaceAsString(), perm))) {
       logResult(AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap));
     } else {
       logResult(AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap));

http://git-wip-us.apache.org/repos/asf/hbase/blob/321a6085/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 6b38bc9..0f28c66 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -22,10 +22,16 @@ import static org.junit.Assert.assertTrue;
 
 import java.util.List;
 
+import com.google.common.collect.ListMultimap;
+import com.google.protobuf.BlockingRpcChannel;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseTestingUtility;
+import org.apache.hadoop.hbase.HColumnDescriptor;
 import org.apache.hadoop.hbase.HConstants;
+import org.apache.hadoop.hbase.HTableDescriptor;
 import org.apache.hadoop.hbase.NamespaceDescriptor;
+import org.apache.hadoop.hbase.TableName;
 import org.apache.hadoop.hbase.client.Get;
 import org.apache.hadoop.hbase.client.HTable;
 import org.apache.hadoop.hbase.client.Result;
@@ -39,14 +45,15 @@ import org.apache.hadoop.hbase.security.access.Permission.Action;
 import org.apache.hadoop.hbase.testclassification.MediumTests;
 import org.apache.hadoop.hbase.testclassification.SecurityTests;
 import org.apache.hadoop.hbase.util.Bytes;
-
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
-import com.google.common.collect.ListMultimap;
-import com.google.protobuf.BlockingRpcChannel;
+import java.util.List;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 @Category({SecurityTests.class, MediumTests.class})
 public class TestNamespaceCommands extends SecureTestUtil {
@@ -64,6 +71,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
   private static User USER_CREATE;
   // user with permission on namespace for testing all operations.
   private static User USER_NSP_WRITE;
+
+  private static String TEST_TABLE = TestNamespace + ":testtable";
+  private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
   
   @BeforeClass
   public static void beforeClass() throws Exception {
@@ -86,7 +96,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
     UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build());
 
     grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(),
-      TestNamespace, Permission.Action.WRITE);
+      TestNamespace, Permission.Action.WRITE, Permission.Action.CREATE);
   }
   
   @AfterClass
@@ -190,4 +200,23 @@ public class TestNamespaceCommands extends SecureTestUtil {
     verifyAllowed(revokeAction, SUPERUSER);
     verifyDenied(revokeAction, USER_CREATE, USER_RW);    
   }
+
+  @Test
+  public void testCreateTableWithNamespace() throws Exception {
+    AccessTestAction createTable = new AccessTestAction() {
+      @Override
+      public Object run() throws Exception {
+        HTableDescriptor htd = new HTableDescriptor(TableName.valueOf(TEST_TABLE));
+        htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
+        ACCESS_CONTROLLER.preCreateTable(ObserverContext.createAndPrepare(CP_ENV, null), htd, null);
+        return null;
+      }
+    };
+
+    // Only users with create permissions on namespace should be able to create a new table
+    verifyAllowed(createTable, SUPERUSER, USER_NSP_WRITE);
+
+    // all others should be denied
+    verifyDenied(createTable, USER_CREATE, USER_RW);
+  }
 }