[HBASE-24288]Allow admin user to create table and do bulkLoad (#1612)
Signed-off-by: Guangxu Cheng <gxcheng@apache.org> Signed-off-by: binlijin <binlijin@gmail.com>
This commit is contained in:
parent
9785f5d1c9
commit
d67f065594
|
@ -773,7 +773,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
||||||
familyMap.put(family, null);
|
familyMap.put(family, null);
|
||||||
}
|
}
|
||||||
requireNamespacePermission(c, "createTable",
|
requireNamespacePermission(c, "createTable",
|
||||||
desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE);
|
desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.ADMIN,
|
||||||
|
Action.CREATE);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -1916,7 +1917,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verifies user has CREATE privileges on
|
* Verifies user has CREATE or ADMIN privileges on
|
||||||
* the Column Families involved in the bulkLoadHFile
|
* the Column Families involved in the bulkLoadHFile
|
||||||
* request. Specific Column Write privileges are presently
|
* request. Specific Column Write privileges are presently
|
||||||
* ignored.
|
* ignored.
|
||||||
|
@ -1928,7 +1929,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
||||||
for(Pair<byte[],String> el : familyPaths) {
|
for(Pair<byte[],String> el : familyPaths) {
|
||||||
accessChecker.requirePermission(user, "preBulkLoadHFile",
|
accessChecker.requirePermission(user, "preBulkLoadHFile",
|
||||||
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null,
|
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null,
|
||||||
null, Action.CREATE);
|
null, Action.ADMIN, Action.CREATE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1942,7 +1943,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
||||||
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
|
public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
requireAccess(ctx, "prePrepareBulkLoad",
|
requireAccess(ctx, "prePrepareBulkLoad",
|
||||||
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
|
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
|
||||||
|
Action.CREATE);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1955,7 +1957,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
|
||||||
public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
|
public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
requireAccess(ctx, "preCleanupBulkLoad",
|
requireAccess(ctx, "preCleanupBulkLoad",
|
||||||
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
|
ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN,
|
||||||
|
Action.CREATE);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* ---- EndpointObserver implementation ---- */
|
/* ---- EndpointObserver implementation ---- */
|
||||||
|
|
|
@ -407,11 +407,11 @@ public class TestAccessController extends SecureTestUtil {
|
||||||
};
|
};
|
||||||
|
|
||||||
// verify that superuser can create tables
|
// verify that superuser can create tables
|
||||||
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
|
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
|
||||||
|
|
||||||
// all others should be denied
|
// all others should be denied
|
||||||
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
|
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
||||||
USER_GROUP_READ, USER_GROUP_WRITE);
|
USER_GROUP_WRITE);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -1015,9 +1015,8 @@ public class TestAccessController extends SecureTestUtil {
|
||||||
// User performing bulk loads must have privilege to read table metadata
|
// User performing bulk loads must have privilege to read table metadata
|
||||||
// (ADMIN or CREATE)
|
// (ADMIN or CREATE)
|
||||||
verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
|
verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
|
||||||
USER_GROUP_CREATE);
|
USER_GROUP_CREATE, USER_GROUP_ADMIN);
|
||||||
verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
|
verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE);
|
||||||
USER_GROUP_ADMIN);
|
|
||||||
} finally {
|
} finally {
|
||||||
// Reinit after the bulk upload
|
// Reinit after the bulk upload
|
||||||
TEST_UTIL.getAdmin().disableTable(TEST_TABLE);
|
TEST_UTIL.getAdmin().disableTable(TEST_TABLE);
|
||||||
|
@ -2909,9 +2908,8 @@ public class TestAccessController extends SecureTestUtil {
|
||||||
|
|
||||||
private void verifyAnyCreate(AccessTestAction action) throws Exception {
|
private void verifyAnyCreate(AccessTestAction action) throws Exception {
|
||||||
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
|
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
|
||||||
USER_GROUP_CREATE);
|
USER_GROUP_CREATE, USER_GROUP_ADMIN);
|
||||||
verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
|
verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE);
|
||||||
USER_GROUP_ADMIN);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
|
@ -293,11 +293,11 @@ public class TestAccessController3 extends SecureTestUtil {
|
||||||
};
|
};
|
||||||
|
|
||||||
// verify that superuser can create tables
|
// verify that superuser can create tables
|
||||||
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
|
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
|
||||||
|
|
||||||
// all others should be denied
|
// all others should be denied
|
||||||
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
|
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
|
||||||
USER_GROUP_READ, USER_GROUP_WRITE);
|
USER_GROUP_WRITE);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -530,10 +530,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
//createTable : superuser | global(C) | NS(C)
|
//createTable : superuser | global(AC) | NS(AC)
|
||||||
verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
|
verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE,
|
||||||
verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
|
USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
|
||||||
USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
|
verifyDenied(createTable, USER_GLOBAL_WRITE, USER_GLOBAL_READ, USER_GLOBAL_EXEC,
|
||||||
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
|
USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_TABLE_CREATE, USER_TABLE_WRITE,
|
||||||
|
USER_GROUP_READ, USER_GROUP_WRITE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue