Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[HBASE-24288]Allow admin user to create table and do bulkLoad (#1612) 

Signed-off-by: Guangxu Cheng <gxcheng@apache.org>
Signed-off-by: binlijin <binlijin@gmail.com>
This commit is contained in:
xincunSong 2020-05-02 02:57:33 +08:00 committed by GitHub
parent 9785f5d1c9
commit d67f065594
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 24 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
View File

@ -773,7 +773,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
familyMap.put(family, null);
}
requireNamespacePermission(c, "createTable",
desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE);
desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.ADMIN,
Action.CREATE);
}
@Override
@ -1916,7 +1917,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
}
/**
* Verifies user has CREATE privileges on
* Verifies user has CREATE or ADMIN privileges on
* the Column Families involved in the bulkLoadHFile
* request. Specific Column Write privileges are presently
* ignored.
@ -1928,7 +1929,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
for(Pair<byte[],String> el : familyPaths) {
accessChecker.requirePermission(user, "preBulkLoadHFile",
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null,
null, Action.CREATE);
null, Action.ADMIN, Action.CREATE);
}
}
@ -1942,7 +1943,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
requireAccess(ctx, "prePrepareBulkLoad",
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
Action.CREATE);
}
/**
@ -1955,7 +1957,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
throws IOException {
requireAccess(ctx, "preCleanupBulkLoad",
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
Action.CREATE);
}
/* ---- EndpointObserver implementation ---- */

16
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -407,11 +407,11 @@ public class TestAccessController extends SecureTestUtil {
};
// verify that superuser can create tables
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
// all others should be denied
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
USER_GROUP_READ, USER_GROUP_WRITE);
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE);
}
@Test
@ -1015,9 +1015,8 @@ public class TestAccessController extends SecureTestUtil {
// User performing bulk loads must have privilege to read table metadata
// (ADMIN or CREATE)
verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
USER_GROUP_CREATE);
verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
USER_GROUP_ADMIN);
USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE);
} finally {
// Reinit after the bulk upload
TEST_UTIL.getAdmin().disableTable(TEST_TABLE);
@ -2909,9 +2908,8 @@ public class TestAccessController extends SecureTestUtil {
private void verifyAnyCreate(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
USER_GROUP_CREATE);
verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
USER_GROUP_ADMIN);
USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test

6
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
View File

@ -293,11 +293,11 @@ public class TestAccessController3 extends SecureTestUtil {
};
// verify that superuser can create tables
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
// all others should be denied
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
USER_GROUP_READ, USER_GROUP_WRITE);
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE);
}
}

11
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
View File

@ -530,10 +530,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
//createTable : superuser | global(C) | NS(C)
verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
//createTable : superuser | global(AC) | NS(AC)
verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE,
USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
verifyDenied(createTable, USER_GLOBAL_WRITE, USER_GLOBAL_READ, USER_GLOBAL_EXEC,
USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_TABLE_CREATE, USER_TABLE_WRITE,
USER_GROUP_READ, USER_GROUP_WRITE);
}
}