HBASE-5372. Table mutation operations should check table level rights (Laxman)
git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1348466 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Andrew Kyle Purtell
parent
acbac6481e
commit
f82402aeab
|
|
@ -372,12 +372,33 @@ public class AccessController extends BaseRegionObserver
|
|||
* @throws IOException if obtaining the current user fails
|
||||
* @throws AccessDeniedException if authorization is denied
|
||||
*/
|
||||
private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
|
||||
byte[] tableName) throws IOException {
|
||||
if (isActiveUserTableOwner(e, tableName)) {
|
||||
requirePermission(Permission.Action.CREATE);
|
||||
private void requireTableAdminPermission(MasterCoprocessorEnvironment e, byte[] tableName)
|
||||
throws IOException {
|
||||
User user = getActiveUser();
|
||||
AuthResult result = null;
|
||||
|
||||
// Table admins are allowed to perform DDL
|
||||
if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.ADMIN)) {
|
||||
result = AuthResult.allow("Table permission granted", user, TablePermission.Action.ADMIN,
|
||||
tableName);
|
||||
} else if (isActiveUserTableOwner(e, tableName)) {
|
||||
// Table owners with Create permission are allowed to perform DDL
|
||||
if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.CREATE)) {
|
||||
result = AuthResult.allow("Owner has table permission", user,
|
||||
TablePermission.Action.CREATE, tableName);
|
||||
} else {
|
||||
// Table owners without Create permission cannot perform DDL
|
||||
result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.CREATE,
|
||||
tableName);
|
||||
}
|
||||
} else {
|
||||
requirePermission(Permission.Action.ADMIN);
|
||||
// rest of the world
|
||||
result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.ADMIN,
|
||||
tableName);
|
||||
}
|
||||
logResult(result);
|
||||
if (!result.isAllowed()) {
|
||||
throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -80,6 +80,8 @@ public class TestAccessController {
|
|||
private static User USER_RW;
|
||||
// user with read-only permissions
|
||||
private static User USER_RO;
|
||||
// user with table admin permissions
|
||||
private static User USER_TBLADM;
|
||||
// user with no permissions
|
||||
private static User USER_NONE;
|
||||
|
||||
|
|
@ -110,6 +112,7 @@ public class TestAccessController {
|
|||
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
|
||||
USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]);
|
||||
USER_RO = User.createUserForTesting(conf, "rouser", new String[0]);
|
||||
USER_TBLADM = User.createUserForTesting(conf, "tbladm", new String[0]);
|
||||
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
|
||||
|
||||
HBaseAdmin admin = TEST_UTIL.getHBaseAdmin();
|
||||
|
|
@ -132,6 +135,9 @@ public class TestAccessController {
|
|||
|
||||
protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()),
|
||||
TEST_TABLE, TEST_FAMILY, Permission.Action.READ));
|
||||
|
||||
protocol.grant(new UserPermission(Bytes.toBytes(USER_TBLADM.getShortName()),
|
||||
TEST_TABLE, null, Permission.Action.ADMIN));
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
|
|
@ -232,6 +238,7 @@ public class TestAccessController {
|
|||
// verify that superuser can create tables
|
||||
verifyAllowed(SUPERUSER, modifyTable);
|
||||
verifyAllowed(USER_ADMIN, modifyTable);
|
||||
verifyAllowed(USER_TBLADM, modifyTable);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -252,6 +259,7 @@ public class TestAccessController {
|
|||
// verify that superuser can create tables
|
||||
verifyAllowed(SUPERUSER, deleteTable);
|
||||
verifyAllowed(USER_ADMIN, deleteTable);
|
||||
verifyAllowed(USER_TBLADM, deleteTable);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -273,6 +281,7 @@ public class TestAccessController {
|
|||
// verify that superuser can create tables
|
||||
verifyAllowed(SUPERUSER, action);
|
||||
verifyAllowed(USER_ADMIN, action);
|
||||
verifyAllowed(USER_TBLADM, action);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -295,6 +304,7 @@ public class TestAccessController {
|
|||
// verify that superuser can create tables
|
||||
verifyAllowed(SUPERUSER, action);
|
||||
verifyAllowed(USER_ADMIN, action);
|
||||
verifyAllowed(USER_TBLADM, action);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -315,6 +325,7 @@ public class TestAccessController {
|
|||
// verify that superuser can create tables
|
||||
verifyAllowed(SUPERUSER, action);
|
||||
verifyAllowed(USER_ADMIN, action);
|
||||
verifyAllowed(USER_TBLADM, action);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -335,6 +346,7 @@ public class TestAccessController {
|
|||
// verify that superuser can create tables
|
||||
verifyAllowed(SUPERUSER, disableTable);
|
||||
verifyAllowed(USER_ADMIN, disableTable);
|
||||
verifyAllowed(USER_TBLADM, disableTable);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -355,6 +367,7 @@ public class TestAccessController {
|
|||
// verify that superuser can create tables
|
||||
verifyAllowed(SUPERUSER, enableTable);
|
||||
verifyAllowed(USER_ADMIN, enableTable);
|
||||
verifyAllowed(USER_TBLADM, enableTable);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
|||
Loading…
Reference in New Issue