From c9c67d1a946d19bed96c92f2ff2142ac15770696 Mon Sep 17 00:00:00 2001 From: Pankaj Kumar Date: Thu, 13 Oct 2016 17:20:52 +0530 Subject: [PATCH] HBASE-16724 Snapshot owner can't clone Signed-off-by: Ashish Singhi --- .../hbase/security/access/AccessController.java | 11 ++++++++++- .../hbase/security/access/TestAccessController.java | 10 ++++------ src/main/asciidoc/_chapters/appendix_acl_matrix.adoc | 2 +- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index d8e61a4f917..3fc2ef5c8fa 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -1341,7 +1341,16 @@ public class AccessController extends BaseMasterAndRegionObserver public void preCloneSnapshot(final ObserverContext ctx, final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { - requirePermission(getActiveUser(ctx), "cloneSnapshot " + snapshot.getName(), Action.ADMIN); + User user = getActiveUser(ctx); + if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user) + && hTableDescriptor.getNameAsString().equals(snapshot.getTable())) { + // Snapshot owner is allowed to create a table with the same name as the snapshot he took + AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(), + "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null); + logResult(result); + } else { + requirePermission(user, "cloneSnapshot " + snapshot.getName(), Action.ADMIN); + } } @Override diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 9ba0d0e26e1..ef446937587 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -2124,15 +2124,13 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), - snapshot, null); + snapshot, htd); return null; } }; - // Clone by snapshot owner is not allowed , because clone operation creates a new table, - // which needs global admin permission. - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); - verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, - USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, USER_OWNER); + verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test (timeout=180000) diff --git a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc index 698ae8222cf..e222875494d 100644 --- a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc +++ b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc @@ -100,7 +100,7 @@ In case the table goes out of date, the unit tests which check for accuracy of p | | stopMaster | superuser\|global(A) | | snapshot | superuser\|global(A)\|NS(A)\|TableOwner\|table(A) | | listSnapshot | superuser\|global(A)\|SnapshotOwner -| | cloneSnapshot | superuser\|global(A) +| | cloneSnapshot | superuser\|global(A)\|(SnapshotOwner & TableName matches) | | restoreSnapshot | superuser\|global(A)\|SnapshotOwner & (NS(A)\|TableOwner\|table(A)) | | deleteSnapshot | superuser\|global(A)\|SnapshotOwner | | createNamespace | superuser\|global(A)