From b7f283c6f6728238bb553c80aa6eafce0df0d650 Mon Sep 17 00:00:00 2001 From: Pankaj Kumar Date: Sat, 15 Oct 2016 11:57:00 +0530 Subject: [PATCH] HBASE-16724 Snapshot owner can't clone Signed-off-by: Ashish Singhi --- .../hbase/security/access/AccessController.java | 11 ++++++++++- .../hbase/security/access/TestAccessController.java | 10 ++++------ src/main/asciidoc/_chapters/appendix_acl_matrix.adoc | 2 +- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 21524402cbe..7be45402fe9 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -1342,7 +1342,16 @@ public class AccessController extends BaseMasterAndRegionObserver public void preCloneSnapshot(final ObserverContext ctx, final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { - requirePermission("cloneSnapshot " + snapshot.getName(), Action.ADMIN); + User user = getActiveUser(); + if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user) + && hTableDescriptor.getNameAsString().equals(snapshot.getTable())) { + // Snapshot owner is allowed to create a table with the same name as the snapshot he took + AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(), + "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null); + logResult(result); + } else { + requirePermission("cloneSnapshot " + snapshot.getName(), Action.ADMIN); + } } @Override diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 221241e2722..79d65cda4b5 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -2122,15 +2122,13 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), - snapshot, null); + snapshot, htd); return null; } }; - // Clone by snapshot owner is not allowed , because clone operation creates a new table, - // which needs global admin permission. - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); - verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, - USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, USER_OWNER); + verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test (timeout=180000) diff --git a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc index cb285f3a57f..adc2b1f4def 100644 --- a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc +++ b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc @@ -100,7 +100,7 @@ In case the table goes out of date, the unit tests which check for accuracy of p | | stopMaster | superuser\|global(A) | | snapshot | superuser\|global(A)\|NS(A)\|TableOwner\|table(A) | | listSnapshot | superuser\|global(A)\|SnapshotOwner -| | cloneSnapshot | superuser\|global(A) +| | cloneSnapshot | superuser\|global(A)\|(SnapshotOwner & TableName matches) | | restoreSnapshot | superuser\|global(A)\|SnapshotOwner & (NS(A)\|TableOwner\|table(A)) | | deleteSnapshot | superuser\|global(A)\|SnapshotOwner | | createNamespace | superuser\|global(A)