Repository: hbase Updated Branches: refs/heads/branch-1 4147dcb81 -> 8be6f95f9
HBASE-16311 Audit log for delete snapshot operation is missing in case of snapshot owner deleting the same (Yi Liang) Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/8be6f95f Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/8be6f95f Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/8be6f95f Branch: refs/heads/branch-1 Commit: 8be6f95f99e776c5b46845cb42d1c2c03c25f802 Parents: 4147dcb Author: Jerry He <jerry...@apache.org> Authored: Fri Sep 2 10:09:44 2016 -0700 Committer: Jerry He <jerry...@apache.org> Committed: Fri Sep 2 10:09:44 2016 -0700 ---------------------------------------------------------------------- .../hbase/security/access/AccessController.java | 25 +++++++++++++------- .../security/access/TestAccessController.java | 4 ++-- 2 files changed, 18 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/8be6f95f/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index a147b12..7d1345f 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -1313,17 +1313,21 @@ public class AccessController extends BaseMasterAndRegionObserver public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx, final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { - requirePermission("snapshot", hTableDescriptor.getTableName(), null, null, + requirePermission("snapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN); } @Override public void preListSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx, final SnapshotDescription snapshot) throws IOException { - if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, getActiveUser())) { + User user = getActiveUser(); + if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) { // list it, if user is the owner of snapshot + AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(), + "Snapshot owner check allowed", user, null, null, null); + logResult(result); } else { - requirePermission("listSnapshot", Action.ADMIN); + requirePermission("listSnapshot " + snapshot.getName(), Action.ADMIN); } } @@ -1331,7 +1335,7 @@ public class AccessController extends BaseMasterAndRegionObserver public void preCloneSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx, final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { - requirePermission("clone", Action.ADMIN); + requirePermission("cloneSnapshot " + snapshot.getName(), Action.ADMIN); } @Override @@ -1339,21 +1343,24 @@ public class AccessController extends BaseMasterAndRegionObserver final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, getActiveUser())) { - requirePermission("restoreSnapshot", hTableDescriptor.getTableName(), null, null, + requirePermission("restoreSnapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN); } else { - requirePermission("restore", Action.ADMIN); + requirePermission("restoreSnapshot " + snapshot.getName(), Action.ADMIN); } } @Override public void preDeleteSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx, final SnapshotDescription snapshot) throws IOException { - if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, getActiveUser())) { + User user = getActiveUser(); + if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) { // Snapshot owner is allowed to delete the snapshot - // TODO: We are not logging this for audit + AuthResult result = AuthResult.allow("deleteSnapshot " + snapshot.getName(), + "Snapshot owner check allowed", user, null, null, null); + logResult(result); } else { - requirePermission("deleteSnapshot", Action.ADMIN); + requirePermission("deleteSnapshot " + snapshot.getName(), Action.ADMIN); } } http://git-wip-us.apache.org/repos/asf/hbase/blob/8be6f95f/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 2e77c78..221241e 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -2051,7 +2051,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), - null, null); + snapshot, null); return null; } }; @@ -2122,7 +2122,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), - null, null); + snapshot, null); return null; } };
