HBASE-5787 Table owner can't disable/delete its own table (Matteo)
git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1327605 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
8d84537c19
commit
b346e6e26a
|
@ -505,7 +505,11 @@ public class AccessController extends BaseRegionObserver
|
||||||
@Override
|
@Override
|
||||||
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
byte[] tableName) throws IOException {
|
byte[] tableName) throws IOException {
|
||||||
requirePermission(Permission.Action.CREATE);
|
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
|
||||||
|
requirePermission(Permission.Action.CREATE);
|
||||||
|
} else {
|
||||||
|
requirePermission(Permission.Action.ADMIN);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
@Override
|
@Override
|
||||||
public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
|
@ -555,8 +559,11 @@ public class AccessController extends BaseRegionObserver
|
||||||
@Override
|
@Override
|
||||||
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
byte[] tableName) throws IOException {
|
byte[] tableName) throws IOException {
|
||||||
/* TODO: Allow for users with global CREATE permission and the table owner */
|
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
|
||||||
requirePermission(Permission.Action.ADMIN);
|
requirePermission(Permission.Action.CREATE);
|
||||||
|
} else {
|
||||||
|
requirePermission(Permission.Action.ADMIN);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
@Override
|
@Override
|
||||||
public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
|
@ -565,8 +572,11 @@ public class AccessController extends BaseRegionObserver
|
||||||
@Override
|
@Override
|
||||||
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
byte[] tableName) throws IOException {
|
byte[] tableName) throws IOException {
|
||||||
/* TODO: Allow for users with global CREATE permission and the table owner */
|
if (isActiveUserTableOwner(c.getEnvironment(), tableName)) {
|
||||||
requirePermission(Permission.Action.ADMIN);
|
requirePermission(Permission.Action.CREATE);
|
||||||
|
} else {
|
||||||
|
requirePermission(Permission.Action.ADMIN);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
@Override
|
@Override
|
||||||
public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
|
||||||
|
@ -1027,4 +1037,16 @@ public class AccessController extends BaseRegionObserver
|
||||||
}
|
}
|
||||||
return tableName;
|
return tableName;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private String getTableOwner(MasterCoprocessorEnvironment e,
|
||||||
|
byte[] tableName) throws IOException {
|
||||||
|
HTableDescriptor htd = e.getTable(tableName).getTableDescriptor();
|
||||||
|
return htd.getOwnerString();
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean isActiveUserTableOwner(MasterCoprocessorEnvironment e,
|
||||||
|
byte[] tableName) throws IOException {
|
||||||
|
String activeUser = getActiveUser().getShortName();
|
||||||
|
return activeUser.equals(getTableOwner(e, tableName));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -205,7 +205,7 @@ public class TestAccessController {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testTableModify() throws Exception {
|
public void testTableModify() throws Exception {
|
||||||
PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
|
PrivilegedExceptionAction modifyTable = new PrivilegedExceptionAction() {
|
||||||
public Object run() throws Exception {
|
public Object run() throws Exception {
|
||||||
HTableDescriptor htd = new HTableDescriptor(TEST_TABLE);
|
HTableDescriptor htd = new HTableDescriptor(TEST_TABLE);
|
||||||
htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
|
htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
|
||||||
|
@ -216,18 +216,18 @@ public class TestAccessController {
|
||||||
};
|
};
|
||||||
|
|
||||||
// all others should be denied
|
// all others should be denied
|
||||||
verifyDenied(USER_OWNER, disableTable);
|
verifyDenied(USER_OWNER, modifyTable);
|
||||||
verifyDenied(USER_RW, disableTable);
|
verifyDenied(USER_RW, modifyTable);
|
||||||
verifyDenied(USER_RO, disableTable);
|
verifyDenied(USER_RO, modifyTable);
|
||||||
verifyDenied(USER_NONE, disableTable);
|
verifyDenied(USER_NONE, modifyTable);
|
||||||
|
|
||||||
// verify that superuser can create tables
|
// verify that superuser can create tables
|
||||||
verifyAllowed(SUPERUSER, disableTable);
|
verifyAllowed(SUPERUSER, modifyTable);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testTableDelete() throws Exception {
|
public void testTableDelete() throws Exception {
|
||||||
PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() {
|
PrivilegedExceptionAction deleteTable = new PrivilegedExceptionAction() {
|
||||||
public Object run() throws Exception {
|
public Object run() throws Exception {
|
||||||
ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE);
|
ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE);
|
||||||
return null;
|
return null;
|
||||||
|
@ -235,13 +235,13 @@ public class TestAccessController {
|
||||||
};
|
};
|
||||||
|
|
||||||
// all others should be denied
|
// all others should be denied
|
||||||
verifyDenied(USER_OWNER, disableTable);
|
verifyDenied(USER_OWNER, deleteTable);
|
||||||
verifyDenied(USER_RW, disableTable);
|
verifyDenied(USER_RW, deleteTable);
|
||||||
verifyDenied(USER_RO, disableTable);
|
verifyDenied(USER_RO, deleteTable);
|
||||||
verifyDenied(USER_NONE, disableTable);
|
verifyDenied(USER_NONE, deleteTable);
|
||||||
|
|
||||||
// verify that superuser can create tables
|
// verify that superuser can create tables
|
||||||
verifyAllowed(SUPERUSER, disableTable);
|
verifyAllowed(SUPERUSER, deleteTable);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
Loading…
Reference in New Issue