HBASE-5787 Table owner can't disable/delete its own table (Matteo)

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1327605 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Zhihong Yu 2012-04-18 18:20:46 +00:00
parent 8d84537c19
commit b346e6e26a
2 changed files with 39 additions and 17 deletions

View File

@ -505,7 +505,11 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException { byte[] tableName) throws IOException {
requirePermission(Permission.Action.CREATE); if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
requirePermission(Permission.Action.CREATE);
} else {
requirePermission(Permission.Action.ADMIN);
}
} }
@Override @Override
public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
@ -555,8 +559,11 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException { byte[] tableName) throws IOException {
/* TODO: Allow for users with global CREATE permission and the table owner */ if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
requirePermission(Permission.Action.ADMIN); requirePermission(Permission.Action.CREATE);
} else {
requirePermission(Permission.Action.ADMIN);
}
} }
@Override @Override
public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@ -565,8 +572,11 @@ public class AccessController extends BaseRegionObserver
@Override @Override
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException { byte[] tableName) throws IOException {
/* TODO: Allow for users with global CREATE permission and the table owner */ if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
requirePermission(Permission.Action.ADMIN); requirePermission(Permission.Action.CREATE);
} else {
requirePermission(Permission.Action.ADMIN);
}
} }
@Override @Override
public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
@ -1027,4 +1037,16 @@ public class AccessController extends BaseRegionObserver
} }
return tableName; return tableName;
} }
private String getTableOwner(MasterCoprocessorEnvironment e,
byte[] tableName) throws IOException {
HTableDescriptor htd = e.getTable(tableName).getTableDescriptor();
return htd.getOwnerString();
}
private boolean isActiveUserTableOwner(MasterCoprocessorEnvironment e,
byte[] tableName) throws IOException {
String activeUser = getActiveUser().getShortName();
return activeUser.equals(getTableOwner(e, tableName));
}
} }

View File

@ -205,7 +205,7 @@ public class TestAccessController {
@Test @Test
public void testTableModify() throws Exception { public void testTableModify() throws Exception {
PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() { PrivilegedExceptionAction modifyTable = new PrivilegedExceptionAction() {
public Object run() throws Exception { public Object run() throws Exception {
HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); HTableDescriptor htd = new HTableDescriptor(TEST_TABLE);
htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
@ -216,18 +216,18 @@ public class TestAccessController {
}; };
// all others should be denied // all others should be denied
verifyDenied(USER_OWNER, disableTable); verifyDenied(USER_OWNER, modifyTable);
verifyDenied(USER_RW, disableTable); verifyDenied(USER_RW, modifyTable);
verifyDenied(USER_RO, disableTable); verifyDenied(USER_RO, modifyTable);
verifyDenied(USER_NONE, disableTable); verifyDenied(USER_NONE, modifyTable);
// verify that superuser can create tables // verify that superuser can create tables
verifyAllowed(SUPERUSER, disableTable); verifyAllowed(SUPERUSER, modifyTable);
} }
@Test @Test
public void testTableDelete() throws Exception { public void testTableDelete() throws Exception {
PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() { PrivilegedExceptionAction deleteTable = new PrivilegedExceptionAction() {
public Object run() throws Exception { public Object run() throws Exception {
ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE); ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE);
return null; return null;
@ -235,13 +235,13 @@ public class TestAccessController {
}; };
// all others should be denied // all others should be denied
verifyDenied(USER_OWNER, disableTable); verifyDenied(USER_OWNER, deleteTable);
verifyDenied(USER_RW, disableTable); verifyDenied(USER_RW, deleteTable);
verifyDenied(USER_RO, disableTable); verifyDenied(USER_RO, deleteTable);
verifyDenied(USER_NONE, disableTable); verifyDenied(USER_NONE, deleteTable);
// verify that superuser can create tables // verify that superuser can create tables
verifyAllowed(SUPERUSER, disableTable); verifyAllowed(SUPERUSER, deleteTable);
} }
@Test @Test