HBASE-5787 Table owner can't disable/delete its own table (Matteo)
git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1327605 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
8d84537c19
commit
b346e6e26a
|
@ -505,7 +505,11 @@ public class AccessController extends BaseRegionObserver
|
|||
@Override
|
||||
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||
byte[] tableName) throws IOException {
|
||||
requirePermission(Permission.Action.CREATE);
|
||||
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
|
||||
requirePermission(Permission.Action.CREATE);
|
||||
} else {
|
||||
requirePermission(Permission.Action.ADMIN);
|
||||
}
|
||||
}
|
||||
@Override
|
||||
public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||
|
@ -555,8 +559,11 @@ public class AccessController extends BaseRegionObserver
|
|||
@Override
|
||||
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||
byte[] tableName) throws IOException {
|
||||
/* TODO: Allow for users with global CREATE permission and the table owner */
|
||||
requirePermission(Permission.Action.ADMIN);
|
||||
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
|
||||
requirePermission(Permission.Action.CREATE);
|
||||
} else {
|
||||
requirePermission(Permission.Action.ADMIN);
|
||||
}
|
||||
}
|
||||
@Override
|
||||
public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||
|
@ -565,8 +572,11 @@ public class AccessController extends BaseRegionObserver
|
|||
@Override
|
||||
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||
byte[] tableName) throws IOException {
|
||||
/* TODO: Allow for users with global CREATE permission and the table owner */
|
||||
requirePermission(Permission.Action.ADMIN);
|
||||
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
|
||||
requirePermission(Permission.Action.CREATE);
|
||||
} else {
|
||||
requirePermission(Permission.Action.ADMIN);
|
||||
}
|
||||
}
|
||||
@Override
|
||||
public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||
|
@ -1027,4 +1037,16 @@ public class AccessController extends BaseRegionObserver
|
|||
}
|
||||
return tableName;
|
||||
}
|
||||
|
||||
private String getTableOwner(MasterCoprocessorEnvironment e,
|
||||
byte[] tableName) throws IOException {
|
||||
HTableDescriptor htd = e.getTable(tableName).getTableDescriptor();
|
||||
return htd.getOwnerString();
|
||||
}
|
||||
|
||||
private boolean isActiveUserTableOwner(MasterCoprocessorEnvironment e,
|
||||
byte[] tableName) throws IOException {
|
||||
String activeUser = getActiveUser().getShortName();
|
||||
return activeUser.equals(getTableOwner(e, tableName));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -205,7 +205,7 @@ public class TestAccessController {
|
|||
|
||||
@Test
|
||||
public void testTableModify() throws Exception {
|
||||
PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
|
||||
PrivilegedExceptionAction modifyTable = new PrivilegedExceptionAction() {
|
||||
public Object run() throws Exception {
|
||||
HTableDescriptor htd = new HTableDescriptor(TEST_TABLE);
|
||||
htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
|
||||
|
@ -216,18 +216,18 @@ public class TestAccessController {
|
|||
};
|
||||
|
||||
// all others should be denied
|
||||
verifyDenied(USER_OWNER, disableTable);
|
||||
verifyDenied(USER_RW, disableTable);
|
||||
verifyDenied(USER_RO, disableTable);
|
||||
verifyDenied(USER_NONE, disableTable);
|
||||
verifyDenied(USER_OWNER, modifyTable);
|
||||
verifyDenied(USER_RW, modifyTable);
|
||||
verifyDenied(USER_RO, modifyTable);
|
||||
verifyDenied(USER_NONE, modifyTable);
|
||||
|
||||
// verify that superuser can create tables
|
||||
verifyAllowed(SUPERUSER, disableTable);
|
||||
verifyAllowed(SUPERUSER, modifyTable);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testTableDelete() throws Exception {
|
||||
PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
|
||||
PrivilegedExceptionAction deleteTable = new PrivilegedExceptionAction() {
|
||||
public Object run() throws Exception {
|
||||
ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE);
|
||||
return null;
|
||||
|
@ -235,13 +235,13 @@ public class TestAccessController {
|
|||
};
|
||||
|
||||
// all others should be denied
|
||||
verifyDenied(USER_OWNER, disableTable);
|
||||
verifyDenied(USER_RW, disableTable);
|
||||
verifyDenied(USER_RO, disableTable);
|
||||
verifyDenied(USER_NONE, disableTable);
|
||||
verifyDenied(USER_OWNER, deleteTable);
|
||||
verifyDenied(USER_RW, deleteTable);
|
||||
verifyDenied(USER_RO, deleteTable);
|
||||
verifyDenied(USER_NONE, deleteTable);
|
||||
|
||||
// verify that superuser can create tables
|
||||
verifyAllowed(SUPERUSER, disableTable);
|
||||
verifyAllowed(SUPERUSER, deleteTable);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
Loading…
Reference in New Issue