Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 74BBF200B9D for ; Wed, 28 Sep 2016 16:08:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 71CCC160AB4; Wed, 28 Sep 2016 14:08:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id B6AB5160AC1 for ; Wed, 28 Sep 2016 16:08:21 +0200 (CEST) Received: (qmail 8305 invoked by uid 500); 28 Sep 2016 14:08:20 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 7992 invoked by uid 99); 28 Sep 2016 14:08:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Sep 2016 14:08:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 95A172C2A66 for ; Wed, 28 Sep 2016 14:08:20 +0000 (UTC) Date: Wed, 28 Sep 2016 14:08:20 +0000 (UTC) From: "Matteo Bertozzi (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-16724) Snapshot owner can't clone MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 28 Sep 2016 14:08:22 -0000 [ https://issues.apache.org/jira/browse/HBASE-16724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15529734#comment-15529734 ] Matteo Bertozzi commented on HBASE-16724: ----------------------------------------- what if we change cloneSnapshot to check for table admin? {code} requirePermission(getActiveUser(ctx), "cloneSnapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN); {code} snapshot and restore do the check for table admin. so you can take a snapshot and by snapshot owner if you own the table. clone should probably do the same thing, if you have permission on that table you'll be able to create it. this prevents for a user with a specific "table admin" permission to be able to create other tables. e.g. user1 is allowed to work/admin only table1. user1 can snapshot/restore/clone snapshots for table1 as table1 > Snapshot owner can't clone > -------------------------- > > Key: HBASE-16724 > URL: https://issues.apache.org/jira/browse/HBASE-16724 > Project: HBase > Issue Type: Bug > Components: snapshots > Affects Versions: 2.0.0 > Reporter: Pankaj Kumar > Assignee: Pankaj Kumar > > Currently only Global admin has the access of cloning a snapshot. > In AccessController, > {code} > @Override > public void preCloneSnapshot(final ObserverContext ctx, > final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) > throws IOException { > requirePermission(getActiveUser(ctx), "cloneSnapshot " + snapshot.getName(), Action.ADMIN); > } > {code} > Snapshot owner should be able to clone it, need to add a check like, > {code} > SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user) > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)