This is an automated email from the ASF dual-hosted git repository. stack pushed a commit to branch branch-2.2 in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2.2 by this push: new ac51f5e [HBASE-24288]Allow admin user to create table and do bulkLoad (#1612) ac51f5e is described below commit ac51f5ee6fd2898ac26ebf10948a43df5628b108 Author: xincunSong <365724...@qq.com> AuthorDate: Sat May 2 02:57:33 2020 +0800 [HBASE-24288]Allow admin user to create table and do bulkLoad (#1612) Signed-off-by: Guangxu Cheng <gxch...@apache.org> Signed-off-by: binlijin <binli...@gmail.com> --- .../hadoop/hbase/security/access/AccessController.java | 13 ++++++++----- .../hbase/security/access/TestAccessController.java | 16 +++++++--------- .../hbase/security/access/TestAccessController3.java | 6 +++--- .../hbase/security/access/TestNamespaceCommands.java | 11 ++++++----- 4 files changed, 24 insertions(+), 22 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 314c6ba..ab8a7e7 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -762,7 +762,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, familyMap.put(family, null); } requireNamespacePermission(c, "createTable", - desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE); + desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.ADMIN, + Action.CREATE); } @Override @@ -1900,7 +1901,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, } /** - * Verifies user has CREATE privileges on + * Verifies user has CREATE or ADMIN privileges on * the Column Families involved in the bulkLoadHFile * request. Specific Column Write privileges are presently * ignored. @@ -1912,7 +1913,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, for(Pair<byte[],String> el : familyPaths) { accessChecker.requirePermission(user, "preBulkLoadHFile", ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), el.getFirst(), null, - null, Action.CREATE); + null, Action.ADMIN, Action.CREATE); } } @@ -1926,7 +1927,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx) throws IOException { requireAccess(ctx, "prePrepareBulkLoad", - ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE); + ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN, + Action.CREATE); } /** @@ -1939,7 +1941,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx) throws IOException { requireAccess(ctx, "preCleanupBulkLoad", - ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE); + ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.ADMIN, + Action.CREATE); } /* ---- EndpointObserver implementation ---- */ diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 2ce2642..06a45af 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -400,11 +400,11 @@ public class TestAccessController extends SecureTestUtil { }; // verify that superuser can create tables - verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE); + verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN); // all others should be denied - verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN, - USER_GROUP_READ, USER_GROUP_WRITE); + verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE); } @Test @@ -1001,9 +1001,8 @@ public class TestAccessController extends SecureTestUtil { // User performing bulk loads must have privilege to read table metadata // (ADMIN or CREATE) verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, - USER_GROUP_CREATE); - verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE, - USER_GROUP_ADMIN); + USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE); } finally { // Reinit after the bulk upload TEST_UTIL.getAdmin().disableTable(TEST_TABLE); @@ -2886,9 +2885,8 @@ public class TestAccessController extends SecureTestUtil { private void verifyAnyCreate(AccessTestAction action) throws Exception { verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF, - USER_GROUP_CREATE); - verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE, - USER_GROUP_ADMIN); + USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE); } @Test diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java index 7b10e3f..1336b30 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java @@ -291,11 +291,11 @@ public class TestAccessController3 extends SecureTestUtil { }; // verify that superuser can create tables - verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE); + verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN); // all others should be denied - verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN, - USER_GROUP_READ, USER_GROUP_WRITE); + verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE); } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 15577aa..9e696fd 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -517,10 +517,11 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; - //createTable : superuser | global(C) | NS(C) - verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE); - verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ, - USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, - USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN); + //createTable : superuser | global(AC) | NS(AC) + verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE, + USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN); + verifyDenied(createTable, USER_GLOBAL_WRITE, USER_GLOBAL_READ, USER_GLOBAL_EXEC, + USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, USER_TABLE_CREATE, USER_TABLE_WRITE, + USER_GROUP_READ, USER_GROUP_WRITE); } }