HBASE-6061 Fix ACL "Admin" Table inconsistent permission check (Matteo Bertozzi)
git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1341265 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Zhihong Yu
parent
3e2afde130
commit
6a44960549
|
|
@ -362,6 +362,25 @@ public class AccessController extends BaseRegionObserver
|
||||||
return user;
|
return user;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Authorizes that the current user has "admin" privileges for the given table.
|
||||||
|
* that means he/she can edit/modify/delete the table.
|
||||||
|
* If current user is the table owner, and has CREATE permission,
|
||||||
|
* then he/she has table admin permission. otherwise ADMIN rights are checked.
|
||||||
|
* @param e Master coprocessor environment
|
||||||
|
* @param tableName Table requested
|
||||||
|
* @throws IOException if obtaining the current user fails
|
||||||
|
* @throws AccessDeniedException if authorization is denied
|
||||||
|
*/
|
||||||
|
private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
|
||||||
|
byte[] tableName) throws IOException {
|
||||||
|
if (isActiveUserTableOwner(e, tableName)) {
|
||||||
|
requirePermission(Permission.Action.CREATE);
|
||||||
|
} else {
|
||||||
|
requirePermission(Permission.Action.ADMIN);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Authorizes that the current user has global privileges for the given action.
|
* Authorizes that the current user has global privileges for the given action.
|
||||||
* @param perm The action being requested
|
* @param perm The action being requested
|
||||||
|
|
@ -520,11 +539,7 @@ public class AccessController extends BaseRegionObserver
|
||||||
@Override
|
@Override
|
||||||
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
byte[] tableName) throws IOException {
|
byte[] tableName) throws IOException {
|
||||||
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
|
requireTableAdminPermission(c.getEnvironment(), tableName);
|
||||||
requirePermission(Permission.Action.CREATE);
|
|
||||||
} else {
|
|
||||||
requirePermission(Permission.Action.ADMIN);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
@Override
|
@Override
|
||||||
public void preDeleteTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preDeleteTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
|
|
@ -541,7 +556,7 @@ public class AccessController extends BaseRegionObserver
|
||||||
@Override
|
@Override
|
||||||
public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
byte[] tableName, HTableDescriptor htd) throws IOException {
|
byte[] tableName, HTableDescriptor htd) throws IOException {
|
||||||
requirePermission(Permission.Action.CREATE);
|
requireTableAdminPermission(c.getEnvironment(), tableName);
|
||||||
}
|
}
|
||||||
@Override
|
@Override
|
||||||
public void preModifyTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preModifyTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
|
|
@ -557,7 +572,7 @@ public class AccessController extends BaseRegionObserver
|
||||||
@Override
|
@Override
|
||||||
public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
byte[] tableName, HColumnDescriptor column) throws IOException {
|
byte[] tableName, HColumnDescriptor column) throws IOException {
|
||||||
requirePermission(Permission.Action.CREATE);
|
requireTableAdminPermission(c.getEnvironment(), tableName);
|
||||||
}
|
}
|
||||||
@Override
|
@Override
|
||||||
public void preAddColumnHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preAddColumnHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
|
|
@ -572,7 +587,7 @@ public class AccessController extends BaseRegionObserver
|
||||||
@Override
|
@Override
|
||||||
public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
byte[] tableName, HColumnDescriptor descriptor) throws IOException {
|
byte[] tableName, HColumnDescriptor descriptor) throws IOException {
|
||||||
requirePermission(Permission.Action.CREATE);
|
requireTableAdminPermission(c.getEnvironment(), tableName);
|
||||||
}
|
}
|
||||||
@Override
|
@Override
|
||||||
public void preModifyColumnHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preModifyColumnHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
|
|
@ -588,7 +603,7 @@ public class AccessController extends BaseRegionObserver
|
||||||
@Override
|
@Override
|
||||||
public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
byte[] tableName, byte[] col) throws IOException {
|
byte[] tableName, byte[] col) throws IOException {
|
||||||
requirePermission(Permission.Action.CREATE);
|
requireTableAdminPermission(c.getEnvironment(), tableName);
|
||||||
}
|
}
|
||||||
@Override
|
@Override
|
||||||
public void preDeleteColumnHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preDeleteColumnHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
|
|
@ -606,11 +621,7 @@ public class AccessController extends BaseRegionObserver
|
||||||
@Override
|
@Override
|
||||||
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
byte[] tableName) throws IOException {
|
byte[] tableName) throws IOException {
|
||||||
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
|
requireTableAdminPermission(c.getEnvironment(), tableName);
|
||||||
requirePermission(Permission.Action.CREATE);
|
|
||||||
} else {
|
|
||||||
requirePermission(Permission.Action.ADMIN);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
@Override
|
@Override
|
||||||
public void preEnableTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preEnableTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
|
|
@ -625,11 +636,7 @@ public class AccessController extends BaseRegionObserver
|
||||||
@Override
|
@Override
|
||||||
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
byte[] tableName) throws IOException {
|
byte[] tableName) throws IOException {
|
||||||
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
|
requireTableAdminPermission(c.getEnvironment(), tableName);
|
||||||
requirePermission(Permission.Action.CREATE);
|
|
||||||
} else {
|
|
||||||
requirePermission(Permission.Action.ADMIN);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
@Override
|
@Override
|
||||||
public void preDisableTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preDisableTableHandler(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue