Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-16311 Audit log for delete snapshot operation is missing in case of snapshot owner deleting the same (Yi Liang)

This commit is contained in:
Jerry He 2016-09-02 10:09:44 -07:00
parent 4147dcb81a
commit 8be6f95f99
2 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
View File

@ -1313,17 +1313,21 @@ public class AccessController extends BaseMasterAndRegionObserver
public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor)
throws IOException {
requirePermission("snapshot", hTableDescriptor.getTableName(), null, null,
requirePermission("snapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null,
Permission.Action.ADMIN);
}
@Override
public void preListSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot) throws IOException {
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, getActiveUser())) {
User user = getActiveUser();
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
// list it, if user is the owner of snapshot
AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(),
"Snapshot owner check allowed", user, null, null, null);
logResult(result);
} else {
requirePermission("listSnapshot", Action.ADMIN);
requirePermission("listSnapshot " + snapshot.getName(), Action.ADMIN);
}
}
@ -1331,7 +1335,7 @@ public class AccessController extends BaseMasterAndRegionObserver
public void preCloneSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor)
throws IOException {
requirePermission("clone", Action.ADMIN);
requirePermission("cloneSnapshot " + snapshot.getName(), Action.ADMIN);
}
@Override
@ -1339,21 +1343,24 @@ public class AccessController extends BaseMasterAndRegionObserver
final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor)
throws IOException {
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, getActiveUser())) {
requirePermission("restoreSnapshot", hTableDescriptor.getTableName(), null, null,
requirePermission("restoreSnapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null,
Permission.Action.ADMIN);
} else {
requirePermission("restore", Action.ADMIN);
requirePermission("restoreSnapshot " + snapshot.getName(), Action.ADMIN);
}
}
@Override
public void preDeleteSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
final SnapshotDescription snapshot) throws IOException {
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, getActiveUser())) {
User user = getActiveUser();
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
// Snapshot owner is allowed to delete the snapshot
// TODO: We are not logging this for audit
AuthResult result = AuthResult.allow("deleteSnapshot " + snapshot.getName(),
"Snapshot owner check allowed", user, null, null, null);
logResult(result);
} else {
requirePermission("deleteSnapshot", Action.ADMIN);
requirePermission("deleteSnapshot " + snapshot.getName(), Action.ADMIN);
}
}

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -2051,7 +2051,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null),
null, null);
snapshot, null);
return null;
}
};
@ -2122,7 +2122,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null),
null, null);
snapshot, null);
return null;
}
};