diff --git a/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java b/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java index c8ef86e3d9f..8a100e4fe5d 100644 --- a/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java +++ b/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java @@ -41,6 +41,9 @@ import org.apache.hadoop.hbase.master.MasterServices; import org.apache.hadoop.hbase.regionserver.HRegion; import org.apache.hadoop.hbase.regionserver.InternalScanner; import org.apache.hadoop.hbase.regionserver.StoreFile; +import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp; +import org.apache.hadoop.hbase.filter.RegexStringComparator; +import org.apache.hadoop.hbase.filter.QualifierFilter; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.Pair; import org.apache.hadoop.io.Text; @@ -190,11 +193,10 @@ public class AccessControlLists { /** * Remove specified table from the _acl_ table. */ - static void removeTablePermissions(Configuration conf, byte[] tableName) - throws IOException{ - + static void removeTablePermissions(Configuration conf, byte[] tableName) + throws IOException{ Delete d = new Delete(tableName); - + if (LOG.isDebugEnabled()) { LOG.debug("Removing permissions of removed table "+ Bytes.toString(tableName)); } @@ -205,7 +207,55 @@ public class AccessControlLists { acls.delete(d); } finally { if (acls != null) acls.close(); - } + } + } + + /** + * Remove specified table column from the _acl_ table. + */ + static void removeTablePermissions(Configuration conf, byte[] tableName, byte[] column) + throws IOException{ + + if (LOG.isDebugEnabled()) { + LOG.debug("Removing permissions of removed column " + Bytes.toString(column) + + " from table "+ Bytes.toString(tableName)); + } + + HTable acls = null; + try { + acls = new HTable(conf, ACL_TABLE_NAME); + + Scan scan = new Scan(); + scan.addFamily(ACL_LIST_FAMILY); + + String columnName = Bytes.toString(column); + scan.setFilter(new QualifierFilter(CompareOp.EQUAL, new RegexStringComparator( + String.format("(%s%s%s)|(%s%s)$", + ACL_KEY_DELIMITER, columnName, ACL_KEY_DELIMITER, + ACL_KEY_DELIMITER, columnName)))); + + Set qualifierSet = new TreeSet(Bytes.BYTES_COMPARATOR); + ResultScanner scanner = acls.getScanner(scan); + try { + for (Result res : scanner) { + for (byte[] q : res.getFamilyMap(ACL_LIST_FAMILY).navigableKeySet()) { + qualifierSet.add(q); + } + } + } finally { + scanner.close(); + } + + if (qualifierSet.size() > 0) { + Delete d = new Delete(tableName); + for (byte[] qualifier : qualifierSet) { + d.deleteColumns(ACL_LIST_FAMILY, qualifier); + } + acls.delete(d); + } + } finally { + if (acls != null) acls.close(); + } } /** diff --git a/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index dba66c64208..6ccfe7a25c3 100644 --- a/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -595,7 +595,10 @@ public class AccessController extends BaseRegionObserver byte[] tableName, byte[] col) throws IOException {} @Override public void postDeleteColumn(ObserverContext c, - byte[] tableName, byte[] col) throws IOException {} + byte[] tableName, byte[] col) throws IOException { + AccessControlLists.removeTablePermissions(c.getEnvironment().getConfiguration(), + tableName, col); + } @Override public void postDeleteColumnHandler(ObserverContext c, byte[] tableName, byte[] col) throws IOException {}