svn commit: r1229621 - /incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java

Tue, 10 Jan 2012 08:12:11 -0800 

Author: vines
Date: Tue Jan 10 16:11:48 2012
New Revision: 1229621

URL: http://svn.apache.org/viewvc?rev=1229621&view=rev
Log:
ACCUMULO-264 - will now error if the creator does not have any one 
authorization the created user has.

Modified:
    
incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java

Modified: 
incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java
URL: 
http://svn.apache.org/viewvc/incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java?rev=1229621&r1=1229620&r2=1229621&view=diff
==============================================================================
--- 
incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java
 (original)
+++ 
incubator/accumulo/branches/1.4/src/server/src/main/java/org/apache/accumulo/server/security/ZKAuthenticator.java
 Tue Jan 10 16:11:48 2012
@@ -208,6 +208,15 @@ public final class ZKAuthenticator imple
     if (!hasSystemPermission(credentials, credentials.user, 
SystemPermission.CREATE_USER))
       throw new AccumuloSecurityException(credentials.user, 
SecurityErrorCode.PERMISSION_DENIED);
     
+    if (!hasSystemPermission(credentials, credentials.user, 
SystemPermission.ALTER_USER)) {
+      Authorizations creatorAuths = getUserAuthorizations(credentials, 
credentials.user);
+      for (byte[] auth : authorizations.getAuthorizations())
+        if (!creatorAuths.contains(auth)) {
+          log.info("User " + credentials.user + " attempted to create a user " 
+ user + " with authorization " + new String(auth) + " they did not have");
+          throw new AccumuloSecurityException(credentials.user, 
SecurityErrorCode.BAD_AUTHORIZATIONS);
+        }
+    }
+    
     // don't allow creating a user with the same name as system user
     if (user.equals(SecurityConstants.SYSTEM_USERNAME))
       throw new AccumuloSecurityException(user, 
SecurityErrorCode.PERMISSION_DENIED);

Reply via email to