[HBASE-24288]Allow admin user to create table and do bulkLoad (#1612)

Signed-off-by: Guangxu Cheng <gxcheng@apache.org>
Signed-off-by: binlijin <binlijin@gmail.com>
This commit is contained in:
xincunSong 2020-05-02 02:57:33 +08:00 committed by stack
parent 6147aebd00
commit 9d90287b6d
4 changed files with 24 additions and 22 deletions

View File

@ -772,7 +772,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
familyMap.put(family, null); familyMap.put(family, null);
} }
requireNamespacePermission(c, "createTable", requireNamespacePermission(c, "createTable",
desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE); desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.ADMIN,
Action.CREATE);
} }
@Override @Override
@ -1916,7 +1917,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
} }
/** /**
* Verifies user has CREATE privileges on * Verifies user has CREATE or ADMIN privileges on
* the Column Families involved in the bulkLoadHFile * the Column Families involved in the bulkLoadHFile
* request. Specific Column Write privileges are presently * request. Specific Column Write privileges are presently
* ignored. * ignored.
@ -1928,7 +1929,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
for(Pair<byte[],String> el : familyPaths) { for(Pair<byte[],String> el : familyPaths) {
accessChecker.requirePermission(user, "preBulkLoadHFile", accessChecker.requirePermission(user, "preBulkLoadHFile",
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null, ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null,
null, Action.CREATE); null, Action.ADMIN, Action.CREATE);
} }
} }
@ -1942,7 +1943,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx) public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException { throws IOException {
requireAccess(ctx, "prePrepareBulkLoad", requireAccess(ctx, "prePrepareBulkLoad",
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE); ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
Action.CREATE);
} }
/** /**
@ -1955,7 +1957,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx) public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException { throws IOException {
requireAccess(ctx, "preCleanupBulkLoad", requireAccess(ctx, "preCleanupBulkLoad",
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE); ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
Action.CREATE);
} }
/* ---- EndpointObserver implementation ---- */ /* ---- EndpointObserver implementation ---- */

View File

@ -396,11 +396,11 @@ public class TestAccessController extends SecureTestUtil {
}; };
// verify that superuser can create tables // verify that superuser can create tables
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE); verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
// all others should be denied // all others should be denied
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN, verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_READ, USER_GROUP_WRITE); USER_GROUP_WRITE);
} }
@Test @Test
@ -997,9 +997,8 @@ public class TestAccessController extends SecureTestUtil {
// User performing bulk loads must have privilege to read table metadata // User performing bulk loads must have privilege to read table metadata
// (ADMIN or CREATE) // (ADMIN or CREATE)
verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
USER_GROUP_CREATE); USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE, verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE);
USER_GROUP_ADMIN);
} finally { } finally {
// Reinit after the bulk upload // Reinit after the bulk upload
TEST_UTIL.getAdmin().disableTable(TEST_TABLE); TEST_UTIL.getAdmin().disableTable(TEST_TABLE);
@ -2881,9 +2880,8 @@ public class TestAccessController extends SecureTestUtil {
private void verifyAnyCreate(AccessTestAction action) throws Exception { private void verifyAnyCreate(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF, verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
USER_GROUP_CREATE); USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE, verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE);
USER_GROUP_ADMIN);
} }
@Test @Test

View File

@ -287,11 +287,11 @@ public class TestAccessController3 extends SecureTestUtil {
}; };
// verify that superuser can create tables // verify that superuser can create tables
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE); verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
// all others should be denied // all others should be denied
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN, verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_READ, USER_GROUP_WRITE); USER_GROUP_WRITE);
} }
} }

View File

@ -523,10 +523,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
} }
}; };
//createTable : superuser | global(C) | NS(C) //createTable : superuser | global(AC) | NS(AC)
verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE); verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE,
verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, verifyDenied(createTable, USER_GLOBAL_WRITE, USER_GLOBAL_READ, USER_GLOBAL_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN); USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_TABLE_CREATE, USER_TABLE_WRITE,
USER_GROUP_READ, USER_GROUP_WRITE);
} }
} }