Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-16311 Audit log for delete snapshot operation is missing in case of snapshot owner deleting the same (Yi Liang)

This commit is contained in:
Jerry He 2016-09-02 09:47:28 -07:00
parent f6ccae3502
commit 0b6eccf4c3
2 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
View File

@ -1314,7 +1314,7 @@ public class AccessController extends BaseMasterAndRegionObserver
public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor)
throws IOException {
requirePermission(getActiveUser(ctx), "snapshot", hTableDescriptor.getTableName(), null, null,
requirePermission(getActiveUser(ctx), "snapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null,
Permission.Action.ADMIN);
}
@ -1324,9 +1324,11 @@ public class AccessController extends BaseMasterAndRegionObserver
User user = getActiveUser(ctx);
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
// list it, if user is the owner of snapshot
// TODO: We are not logging this for audit
AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(),
"Snapshot owner check allowed", user, null, null, null);
logResult(result);
} else {
requirePermission(user, "listSnapshot", Action.ADMIN);
requirePermission(user, "listSnapshot " + snapshot.getName(), Action.ADMIN);
}
}
@ -1334,7 +1336,7 @@ public class AccessController extends BaseMasterAndRegionObserver
public void preCloneSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor)
throws IOException {
requirePermission(getActiveUser(ctx), "clone", Action.ADMIN);
requirePermission(getActiveUser(ctx), "cloneSnapshot " + snapshot.getName(), Action.ADMIN);
}
@Override
@ -1343,10 +1345,10 @@ public class AccessController extends BaseMasterAndRegionObserver
throws IOException {
User user = getActiveUser(ctx);
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
requirePermission(user, "restoreSnapshot", hTableDescriptor.getTableName(), null, null,
requirePermission(user, "restoreSnapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null,
Permission.Action.ADMIN);
} else {
requirePermission(user, "restoreSnapshot", Action.ADMIN);
requirePermission(user, "restoreSnapshot " + snapshot.getName(), Action.ADMIN);
}
}
@ -1356,9 +1358,11 @@ public class AccessController extends BaseMasterAndRegionObserver
User user = getActiveUser(ctx);
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
// Snapshot owner is allowed to delete the snapshot
// TODO: We are not logging this for audit
AuthResult result = AuthResult.allow("deleteSnapshot " + snapshot.getName(),
"Snapshot owner check allowed", user, null, null, null);
logResult(result);
} else {
requirePermission(user, "deleteSnapshot", Action.ADMIN);
requirePermission(user, "deleteSnapshot " + snapshot.getName(), Action.ADMIN);
}
}

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -2053,7 +2053,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null),
null, null);
snapshot, null);
return null;
}
};
@ -2124,7 +2124,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null),
null, null);
snapshot, null);
return null;
}
};