[
https://issues.apache.org/jira/browse/HBASE-16724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15529734#comment-15529734
]
Matteo Bertozzi commented on HBASE-16724:
-----------------------------------------
what if we change cloneSnapshot to check for table admin?
{code}
requirePermission(getActiveUser(ctx), "cloneSnapshot " + snapshot.getName(),
hTableDescriptor.getTableName(), null, null,
Permission.Action.ADMIN);
{code}
snapshot and restore do the check for table admin.
so you can take a snapshot and by snapshot owner if you own the table.
clone should probably do the same thing, if you have permission on that table
you'll be able to create it.
this prevents for a user with a specific "table admin" permission to be able to
create other tables.
e.g. user1 is allowed to work/admin only table1. user1 can
snapshot/restore/clone snapshots for table1 as table1
> Snapshot owner can't clone
> --------------------------
>
> Key: HBASE-16724
> URL: https://issues.apache.org/jira/browse/HBASE-16724
> Project: HBase
> Issue Type: Bug
> Components: snapshots
> Affects Versions: 2.0.0
> Reporter: Pankaj Kumar
> Assignee: Pankaj Kumar
>
> Currently only Global admin has the access of cloning a snapshot.
> In AccessController,
> {code}
> @Override
> public void preCloneSnapshot(final
> ObserverContext<MasterCoprocessorEnvironment> ctx,
> final SnapshotDescription snapshot, final HTableDescriptor
> hTableDescriptor)
> throws IOException {
> requirePermission(getActiveUser(ctx), "cloneSnapshot " +
> snapshot.getName(), Action.ADMIN);
> }
> {code}
> Snapshot owner should be able to clone it, need to add a check like,
> {code}
> SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
