hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ashishsin...@apache.org
Subject hbase git commit: HBASE-16724 Snapshot owner can't clone
Date Thu, 13 Oct 2016 11:51:33 GMT
Repository: hbase
Updated Branches:
  refs/heads/master 90d83d5b3 -> c9c67d1a9


HBASE-16724 Snapshot owner can't clone

Signed-off-by: Ashish Singhi <ashishsinghi@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/c9c67d1a
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/c9c67d1a
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/c9c67d1a

Branch: refs/heads/master
Commit: c9c67d1a946d19bed96c92f2ff2142ac15770696
Parents: 90d83d5
Author: Pankaj Kumar <pankaj.kr@huawei.com>
Authored: Thu Oct 13 17:20:52 2016 +0530
Committer: Ashish Singhi <ashishsinghi@apache.org>
Committed: Thu Oct 13 17:20:52 2016 +0530

----------------------------------------------------------------------
 .../hadoop/hbase/security/access/AccessController.java   | 11 ++++++++++-
 .../hbase/security/access/TestAccessController.java      | 10 ++++------
 src/main/asciidoc/_chapters/appendix_acl_matrix.adoc     |  2 +-
 3 files changed, 15 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/c9c67d1a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index d8e61a4..3fc2ef5 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -1341,7 +1341,16 @@ public class AccessController extends BaseMasterAndRegionObserver
   public void preCloneSnapshot(final ObserverContext<MasterCoprocessorEnvironment>
ctx,
       final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor)
       throws IOException {
-    requirePermission(getActiveUser(ctx), "cloneSnapshot " + snapshot.getName(), Action.ADMIN);
+    User user = getActiveUser(ctx);
+    if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)
+        && hTableDescriptor.getNameAsString().equals(snapshot.getTable())) {
+      // Snapshot owner is allowed to create a table with the same name as the snapshot he
took
+      AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(),
+        "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null);
+      logResult(result);
+    } else {
+      requirePermission(user, "cloneSnapshot " + snapshot.getName(), Action.ADMIN);
+    }
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/hbase/blob/c9c67d1a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 9ba0d0e..ef44693 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -2124,15 +2124,13 @@ public class TestAccessController extends SecureTestUtil {
       @Override
       public Object run() throws Exception {
         ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null),
-          snapshot, null);
+          snapshot, htd);
         return null;
       }
     };
-    // Clone by snapshot owner is not allowed , because clone operation creates a new table,
-    // which needs global admin permission.
-    verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
-    verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
-      USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+    verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, USER_OWNER);
+    verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test (timeout=180000)

http://git-wip-us.apache.org/repos/asf/hbase/blob/c9c67d1a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
index 698ae82..e222875 100644
--- a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
+++ b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
@@ -100,7 +100,7 @@ In case the table goes out of date, the unit tests which check for accuracy
of p
 |        | stopMaster | superuser\|global(A)
 |        | snapshot | superuser\|global(A)\|NS(A)\|TableOwner\|table(A)
 |        | listSnapshot | superuser\|global(A)\|SnapshotOwner
-|        | cloneSnapshot | superuser\|global(A)
+|        | cloneSnapshot | superuser\|global(A)\|(SnapshotOwner & TableName matches)
 |        | restoreSnapshot | superuser\|global(A)\|SnapshotOwner & (NS(A)\|TableOwner\|table(A))
 |        | deleteSnapshot | superuser\|global(A)\|SnapshotOwner
 |        | createNamespace | superuser\|global(A)


Mime
View raw message