hbase git commit: HBASE-16724 Snapshot owner can't clone

Fri, 14 Oct 2016 23:28:27 -0700 

Repository: hbase
Updated Branches:
  refs/heads/branch-1 05b010cac -> b7f283c6f


HBASE-16724 Snapshot owner can't clone

Signed-off-by: Ashish Singhi <ashishsin...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/b7f283c6
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/b7f283c6
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/b7f283c6

Branch: refs/heads/branch-1
Commit: b7f283c6f6728238bb553c80aa6eafce0df0d650
Parents: 05b010c
Author: Pankaj Kumar <pankaj...@huawei.com>
Authored: Sat Oct 15 11:57:00 2016 +0530
Committer: Ashish Singhi <ashishsin...@apache.org>
Committed: Sat Oct 15 11:57:00 2016 +0530

----------------------------------------------------------------------
 .../hadoop/hbase/security/access/AccessController.java   | 11 ++++++++++-
 .../hbase/security/access/TestAccessController.java      | 10 ++++------
 src/main/asciidoc/_chapters/appendix_acl_matrix.adoc     |  2 +-
 3 files changed, 15 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/b7f283c6/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git 
a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
 
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 2152440..7be4540 100644
--- 
a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ 
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -1342,7 +1342,16 @@ public class AccessController extends 
BaseMasterAndRegionObserver
   public void preCloneSnapshot(final 
ObserverContext<MasterCoprocessorEnvironment> ctx,
       final SnapshotDescription snapshot, final HTableDescriptor 
hTableDescriptor)
       throws IOException {
-    requirePermission("cloneSnapshot " + snapshot.getName(), Action.ADMIN);
+    User user = getActiveUser();
+    if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)
+        && hTableDescriptor.getNameAsString().equals(snapshot.getTable())) {
+      // Snapshot owner is allowed to create a table with the same name as the 
snapshot he took
+      AuthResult result = AuthResult.allow("cloneSnapshot " + 
snapshot.getName(),
+        "Snapshot owner check allowed", user, null, 
hTableDescriptor.getTableName(), null);
+      logResult(result);
+    } else {
+      requirePermission("cloneSnapshot " + snapshot.getName(), Action.ADMIN);
+    }
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/hbase/blob/b7f283c6/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git 
a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
 
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 221241e..79d65cd 100644
--- 
a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ 
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -2122,15 +2122,13 @@ public class TestAccessController extends 
SecureTestUtil {
       @Override
       public Object run() throws Exception {
         
ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, 
null),
-          snapshot, null);
+          snapshot, htd);
         return null;
       }
     };
-    // Clone by snapshot owner is not allowed , because clone operation 
creates a new table,
-    // which needs global admin permission.
-    verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
-    verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, 
USER_OWNER,
-      USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+    verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, 
USER_OWNER);
+    verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, 
USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test (timeout=180000)

http://git-wip-us.apache.org/repos/asf/hbase/blob/b7f283c6/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc 
b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
index cb285f3..adc2b1f 100644
--- a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
+++ b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
@@ -100,7 +100,7 @@ In case the table goes out of date, the unit tests which 
check for accuracy of p
 |        | stopMaster | superuser\|global(A)
 |        | snapshot | superuser\|global(A)\|NS(A)\|TableOwner\|table(A)
 |        | listSnapshot | superuser\|global(A)\|SnapshotOwner
-|        | cloneSnapshot | superuser\|global(A)
+|        | cloneSnapshot | superuser\|global(A)\|(SnapshotOwner & TableName 
matches)
 |        | restoreSnapshot | superuser\|global(A)\|SnapshotOwner & 
(NS(A)\|TableOwner\|table(A))
 |        | deleteSnapshot | superuser\|global(A)\|SnapshotOwner
 |        | createNamespace | superuser\|global(A)

Reply via email to