From e8914f26d2fcb3958d839f6c69d7c4a308cd5512 Mon Sep 17 00:00:00 2001
From: Srikanth Srungarapu <ssrungarapu@cloudera.com>
Date: Tue, 2 Jun 2015 22:37:41 -0700
Subject: [PATCH] HBASE-13826 Unable to create table when group acls are
 appropriately set.

---
 .../security/access/TableAuthManager.java     | 10 +--------
 .../access/TestAccessController2.java         | 21 +++++++++++++++++++
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
index 57adbc0a275..367952b8cc0 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
@@ -391,7 +391,7 @@ public class TableAuthManager {
 
   public boolean authorize(User user, String namespace, Permission.Action action) {
     // Global authorizations supercede namespace level
-    if (authorizeUser(user, action)) {
+    if (authorize(user, action)) {
       return true;
     }
     // Check namespace permissions
@@ -429,14 +429,6 @@ public class TableAuthManager {
     return false;
   }
 
-  /**
-   * Checks global authorization for a specific action for a user, based on the
-   * stored user permissions.
-   */
-  public boolean authorizeUser(User user, Permission.Action action) {
-    return authorize(globalCache.getUser(user.getShortName()), action);
-  }
-
   /**
    * Checks authorization to a given table and column family for a user, based on the
    * stored user permissions.
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
index f3521363dcc..01a45bc4e5c 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
@@ -195,6 +195,27 @@ public class TestAccessController2 extends SecureTestUtil {
     assertTrue(perms.get(0).implies(Permission.Action.ADMIN));
   }
 
+  @Test
+  public void testCreateTableWithGroupPermissions() throws Exception {
+    grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
+    AccessTestAction createAction = new AccessTestAction() {
+      @Override
+      public Object run() throws Exception {
+        HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
+        desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
+        try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
+          try (Admin admin = connection.getAdmin()) {
+            admin.createTable(desc);
+          }
+        }
+        return null;
+      }
+    };
+    verifyAllowed(createAction, TESTGROUP1_USER1);
+    verifyDenied(createAction, TESTGROUP2_USER1);
+    revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
+  }
+
   @Test
   public void testACLTableAccess() throws Exception {
     final Configuration conf = TEST_UTIL.getConfiguration();