Repository: hbase Updated Branches: refs/heads/branch-1 05b010cac -> b7f283c6f
HBASE-16724 Snapshot owner can't clone Signed-off-by: Ashish Singhi <ashishsin...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/b7f283c6 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/b7f283c6 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/b7f283c6 Branch: refs/heads/branch-1 Commit: b7f283c6f6728238bb553c80aa6eafce0df0d650 Parents: 05b010c Author: Pankaj Kumar <pankaj...@huawei.com> Authored: Sat Oct 15 11:57:00 2016 +0530 Committer: Ashish Singhi <ashishsin...@apache.org> Committed: Sat Oct 15 11:57:00 2016 +0530 ---------------------------------------------------------------------- .../hadoop/hbase/security/access/AccessController.java | 11 ++++++++++- .../hbase/security/access/TestAccessController.java | 10 ++++------ src/main/asciidoc/_chapters/appendix_acl_matrix.adoc | 2 +- 3 files changed, 15 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/b7f283c6/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 2152440..7be4540 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -1342,7 +1342,16 @@ public class AccessController extends BaseMasterAndRegionObserver public void preCloneSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx, final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { - requirePermission("cloneSnapshot " + snapshot.getName(), Action.ADMIN); + User user = getActiveUser(); + if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user) + && hTableDescriptor.getNameAsString().equals(snapshot.getTable())) { + // Snapshot owner is allowed to create a table with the same name as the snapshot he took + AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(), + "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null); + logResult(result); + } else { + requirePermission("cloneSnapshot " + snapshot.getName(), Action.ADMIN); + } } @Override http://git-wip-us.apache.org/repos/asf/hbase/blob/b7f283c6/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 221241e..79d65cd 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -2122,15 +2122,13 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), - snapshot, null); + snapshot, htd); return null; } }; - // Clone by snapshot owner is not allowed , because clone operation creates a new table, - // which needs global admin permission. - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); - verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, - USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, USER_OWNER); + verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test (timeout=180000) http://git-wip-us.apache.org/repos/asf/hbase/blob/b7f283c6/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc index cb285f3..adc2b1f 100644 --- a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc +++ b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc @@ -100,7 +100,7 @@ In case the table goes out of date, the unit tests which check for accuracy of p | | stopMaster | superuser\|global(A) | | snapshot | superuser\|global(A)\|NS(A)\|TableOwner\|table(A) | | listSnapshot | superuser\|global(A)\|SnapshotOwner -| | cloneSnapshot | superuser\|global(A) +| | cloneSnapshot | superuser\|global(A)\|(SnapshotOwner & TableName matches) | | restoreSnapshot | superuser\|global(A)\|SnapshotOwner & (NS(A)\|TableOwner\|table(A)) | | deleteSnapshot | superuser\|global(A)\|SnapshotOwner | | createNamespace | superuser\|global(A)