diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 9795a24c211..ecf439a103e 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -375,7 +375,7 @@ public class AccessController extends BaseRegionObserver AuthResult result = null; for (Action permission : permissions) { - if (authManager.authorize(user, tableName, null, null, permission)) { + if (authManager.authorize(user, tableName, family, qualifier, permission)) { result = AuthResult.allow("Table permission granted", user, permission, tableName, family, qualifier); break; } else { @@ -677,30 +677,32 @@ public class AccessController extends BaseRegionObserver byte[] tableName) throws IOException {} @Override - public void preMove(ObserverContext c, - HRegionInfo region, ServerName srcServer, ServerName destServer) - throws IOException { - requirePermission(Permission.Action.ADMIN); + public void preMove(ObserverContext c, HRegionInfo region, + ServerName srcServer, ServerName destServer) throws IOException { + requirePermission(region.getTableName(), null, null, Action.ADMIN); } + @Override public void postMove(ObserverContext c, HRegionInfo region, ServerName srcServer, ServerName destServer) throws IOException {} @Override - public void preAssign(ObserverContext c, - HRegionInfo regionInfo) throws IOException { - requirePermission(Permission.Action.ADMIN); + public void preAssign(ObserverContext c, HRegionInfo regionInfo) + throws IOException { + requirePermission(regionInfo.getTableName(), null, null, Action.ADMIN); } + @Override public void postAssign(ObserverContext c, HRegionInfo regionInfo) throws IOException {} @Override - public void preUnassign(ObserverContext c, - HRegionInfo regionInfo, boolean force) throws IOException { - requirePermission(Permission.Action.ADMIN); + public void preUnassign(ObserverContext c, HRegionInfo regionInfo, + boolean force) throws IOException { + requirePermission(regionInfo.getTableName(), null, null, Action.ADMIN); } + @Override public void postUnassign(ObserverContext c, HRegionInfo regionInfo, boolean force) throws IOException {} diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 09709a6597a..3691635abd4 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -338,8 +338,8 @@ public class TestAccessController { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @Test @@ -356,8 +356,8 @@ public class TestAccessController { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @Test @@ -374,8 +374,8 @@ public class TestAccessController { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @Test