HBASE-6252. TABLE ADMIN should be allowed to relocate regions (Laxman)

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1352644 13f79535-47bb-0310-9956-ffa450edef68

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java

@@ -375,7 +375,7 @@ public class AccessController extends BaseRegionObserver
     AuthResult result = null;
 
     for (Action permission : permissions) {
-      if (authManager.authorize(user, tableName, null, null, permission)) {
+      if (authManager.authorize(user, tableName, family, qualifier, permission)) {
         result = AuthResult.allow("Table permission granted", user, permission, tableName, family, qualifier);
         break;
       } else {
@@ -677,30 +677,32 @@ public class AccessController extends BaseRegionObserver
       byte[] tableName) throws IOException {}
 
   @Override
-  public void preMove(ObserverContext<MasterCoprocessorEnvironment> c,
+  public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo region,
-      HRegionInfo region, ServerName srcServer, ServerName destServer)
+      ServerName srcServer, ServerName destServer) throws IOException {
-    throws IOException {
+    requirePermission(region.getTableName(), null, null, Action.ADMIN);
-    requirePermission(Permission.Action.ADMIN);
   }
+
   @Override
   public void postMove(ObserverContext<MasterCoprocessorEnvironment> c,
       HRegionInfo region, ServerName srcServer, ServerName destServer)
     throws IOException {}
 
   @Override
-  public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c,
+  public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo)
-      HRegionInfo regionInfo) throws IOException {
+      throws IOException {
-    requirePermission(Permission.Action.ADMIN);
+    requirePermission(regionInfo.getTableName(), null, null, Action.ADMIN);
   }
+
   @Override
   public void postAssign(ObserverContext<MasterCoprocessorEnvironment> c,
       HRegionInfo regionInfo) throws IOException {}
 
   @Override
-  public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c,
+  public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, HRegionInfo regionInfo,
-       HRegionInfo regionInfo, boolean force) throws IOException {
+      boolean force) throws IOException {
-    requirePermission(Permission.Action.ADMIN);
+    requirePermission(regionInfo.getTableName(), null, null, Action.ADMIN);
   }
+
   @Override
   public void postUnassign(ObserverContext<MasterCoprocessorEnvironment> c,
       HRegionInfo regionInfo, boolean force) throws IOException {}

hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java

@@ -338,8 +338,8 @@ public class TestAccessController {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
   }
 
   @Test
@@ -356,8 +356,8 @@ public class TestAccessController {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
   }
 
   @Test
@@ -374,8 +374,8 @@ public class TestAccessController {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
   }
 
   @Test