HBASE-5372. Table mutation operations should check table level rights (Laxman)

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1348466 13f79535-47bb-0310-9956-ffa450edef68

hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java

@@ -372,12 +372,33 @@ public class AccessController extends BaseRegionObserver
    * @throws IOException if obtaining the current user fails
    * @throws AccessDeniedException if authorization is denied
    */
-  private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
+  private void requireTableAdminPermission(MasterCoprocessorEnvironment e, byte[] tableName)
-      byte[] tableName) throws IOException {
+      throws IOException {
-    if (isActiveUserTableOwner(e, tableName)) {
+    User user = getActiveUser();
-      requirePermission(Permission.Action.CREATE);
+    AuthResult result = null;
+
+    // Table admins are allowed to perform DDL
+    if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.ADMIN)) {
+      result = AuthResult.allow("Table permission granted", user, TablePermission.Action.ADMIN,
+          tableName);
+    } else if (isActiveUserTableOwner(e, tableName)) {
+      // Table owners with Create permission are allowed to perform DDL
+      if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.CREATE)) {
+        result = AuthResult.allow("Owner has table permission", user,
+            TablePermission.Action.CREATE, tableName);
+      } else {
+        // Table owners without Create permission cannot perform DDL
+        result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.CREATE,
+            tableName);
+      }
     } else {
-      requirePermission(Permission.Action.ADMIN);
+      // rest of the world
+      result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.ADMIN,
+          tableName);
+    }
+    logResult(result);
+    if (!result.isAllowed()) {
+      throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
     }
   }
 

hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java

@@ -80,6 +80,8 @@ public class TestAccessController {
   private static User USER_RW;
   // user with read-only permissions
   private static User USER_RO;
+  // user with table admin permissions
+  private static User USER_TBLADM;
   // user with no permissions
   private static User USER_NONE;
 
@@ -110,6 +112,7 @@ public class TestAccessController {
     USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
     USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]);
     USER_RO = User.createUserForTesting(conf, "rouser", new String[0]);
+    USER_TBLADM = User.createUserForTesting(conf, "tbladm", new String[0]);
     USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
 
     HBaseAdmin admin = TEST_UTIL.getHBaseAdmin();
@@ -132,6 +135,9 @@ public class TestAccessController {
 
     protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()),
                    TEST_TABLE, TEST_FAMILY, Permission.Action.READ));
+
+    protocol.grant(new UserPermission(Bytes.toBytes(USER_TBLADM.getShortName()),
+      TEST_TABLE, null, Permission.Action.ADMIN));    
   }
 
   @AfterClass
@@ -232,6 +238,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, modifyTable);
     verifyAllowed(USER_ADMIN, modifyTable);
+    verifyAllowed(USER_TBLADM, modifyTable);
   }
 
   @Test
@@ -252,6 +259,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, deleteTable);
     verifyAllowed(USER_ADMIN, deleteTable);
+    verifyAllowed(USER_TBLADM, deleteTable);
   }
 
   @Test
@@ -273,6 +281,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, action);
     verifyAllowed(USER_ADMIN, action);
+    verifyAllowed(USER_TBLADM, action);
   }
 
   @Test
@@ -295,6 +304,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, action);
     verifyAllowed(USER_ADMIN, action);
+    verifyAllowed(USER_TBLADM, action);
   }
 
   @Test
@@ -315,6 +325,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, action);
     verifyAllowed(USER_ADMIN, action);
+    verifyAllowed(USER_TBLADM, action);
   }
 
   @Test
@@ -335,6 +346,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, disableTable);
     verifyAllowed(USER_ADMIN, disableTable);
+    verifyAllowed(USER_TBLADM, disableTable);
   }
 
   @Test
@@ -355,6 +367,7 @@ public class TestAccessController {
     // verify that superuser can create tables
     verifyAllowed(SUPERUSER, enableTable);
     verifyAllowed(USER_ADMIN, enableTable);
+    verifyAllowed(USER_TBLADM, enableTable);
   }
 
   @Test