Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-6061 Fix ACL "Admin" Table inconsistent permission check (Matteo Bertozzi) 

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1341265 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Zhihong Yu 2012-05-21 23:21:06 +00:00
parent 3e2afde130
commit 6a44960549
1 changed files with 26 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
View File

@ -362,6 +362,25 @@ public class AccessController extends BaseRegionObserver
return user;
}
/**
* Authorizes that the current user has "admin" privileges for the given table.
* that means he/she can edit/modify/delete the table.
* If current user is the table owner, and has CREATE permission,
* then he/she has table admin permission. otherwise ADMIN rights are checked.
* @param e Master coprocessor environment
* @param tableName Table requested
* @throws IOException if obtaining the current user fails
* @throws AccessDeniedException if authorization is denied
*/
private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
byte[] tableName) throws IOException {
if (isActiveUserTableOwner(e, tableName)) {
requirePermission(Permission.Action.CREATE);
} else {
requirePermission(Permission.Action.ADMIN);
}
}
/**
* Authorizes that the current user has global privileges for the given action.
* @param perm The action being requested
@ -520,11 +539,7 @@ public class AccessController extends BaseRegionObserver
@Override
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
requirePermission(Permission.Action.CREATE);
} else {
requirePermission(Permission.Action.ADMIN);
}
requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void preDeleteTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
@ -541,7 +556,7 @@ public class AccessController extends BaseRegionObserver
@Override
public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName, HTableDescriptor htd) throws IOException {
requirePermission(Permission.Action.CREATE);
requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void preModifyTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
@ -557,7 +572,7 @@ public class AccessController extends BaseRegionObserver
@Override
public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName, HColumnDescriptor column) throws IOException {
requirePermission(Permission.Action.CREATE);
requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void preAddColumnHandler(ObserverContext<MasterCoprocessorEnvironment> c,
@ -572,7 +587,7 @@ public class AccessController extends BaseRegionObserver
@Override
public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName, HColumnDescriptor descriptor) throws IOException {
requirePermission(Permission.Action.CREATE);
requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void preModifyColumnHandler(ObserverContext<MasterCoprocessorEnvironment> c,
@ -588,7 +603,7 @@ public class AccessController extends BaseRegionObserver
@Override
public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName, byte[] col) throws IOException {
requirePermission(Permission.Action.CREATE);
requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void preDeleteColumnHandler(ObserverContext<MasterCoprocessorEnvironment> c,
@ -606,11 +621,7 @@ public class AccessController extends BaseRegionObserver
@Override
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
requirePermission(Permission.Action.CREATE);
} else {
requirePermission(Permission.Action.ADMIN);
}
requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void preEnableTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
@ -625,11 +636,7 @@ public class AccessController extends BaseRegionObserver
@Override
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
requirePermission(Permission.Action.CREATE);
} else {
requirePermission(Permission.Action.ADMIN);
}
requireTableAdminPermission(c.getEnvironment(), tableName);
}
@Override
public void preDisableTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,