hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matteo Bertozzi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16724) Snapshot owner can't clone
Date Wed, 28 Sep 2016 14:08:20 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15529734#comment-15529734
] 

Matteo Bertozzi commented on HBASE-16724:
-----------------------------------------

what if we change cloneSnapshot to check for table admin?
{code}
requirePermission(getActiveUser(ctx), "cloneSnapshot " + snapshot.getName(), 
      hTableDescriptor.getTableName(), null, null,
      Permission.Action.ADMIN);
{code}

snapshot and restore do the check for table admin. 
so you can take a snapshot and by snapshot owner if you own the table.
clone should probably do the same thing, if you have permission on that table you'll be able
to create it.

this prevents for a user with a specific "table admin" permission to be able to create other
tables.

e.g. user1 is allowed to work/admin only table1. user1 can snapshot/restore/clone snapshots
for table1 as table1

> Snapshot owner can't clone
> --------------------------
>
>                 Key: HBASE-16724
>                 URL: https://issues.apache.org/jira/browse/HBASE-16724
>             Project: HBase
>          Issue Type: Bug
>          Components: snapshots
>    Affects Versions: 2.0.0
>            Reporter: Pankaj Kumar
>            Assignee: Pankaj Kumar
>
> Currently only Global admin has the access of cloning a snapshot.
> In AccessController,
> {code}
>   @Override
>   public void preCloneSnapshot(final ObserverContext<MasterCoprocessorEnvironment>
ctx,
>       final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor)
>       throws IOException {
>     requirePermission(getActiveUser(ctx), "cloneSnapshot " + snapshot.getName(), Action.ADMIN);
>   }
> {code}
> Snapshot owner should be able to  clone it, need to add a check like,
> {code}
> SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message