Index: security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java =================================================================== --- security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java (revision 1326267) +++ security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java (working copy) @@ -205,7 +205,7 @@ @Test public void testTableModify() throws Exception { - PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() { + PrivilegedExceptionAction modifyTable = new PrivilegedExceptionAction() { public Object run() throws Exception { HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); @@ -216,18 +216,18 @@ }; // all others should be denied - verifyDenied(USER_OWNER, disableTable); - verifyDenied(USER_RW, disableTable); - verifyDenied(USER_RO, disableTable); - verifyDenied(USER_NONE, disableTable); + verifyDenied(USER_OWNER, modifyTable); + verifyDenied(USER_RW, modifyTable); + verifyDenied(USER_RO, modifyTable); + verifyDenied(USER_NONE, modifyTable); // verify that superuser can create tables - verifyAllowed(SUPERUSER, disableTable); + verifyAllowed(SUPERUSER, modifyTable); } @Test public void testTableDelete() throws Exception { - PrivilegedExceptionAction disableTable = new PrivilegedExceptionAction() { + PrivilegedExceptionAction deleteTable = new PrivilegedExceptionAction() { public Object run() throws Exception { ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE); return null; @@ -235,13 +235,13 @@ }; // all others should be denied - verifyDenied(USER_OWNER, disableTable); - verifyDenied(USER_RW, disableTable); - verifyDenied(USER_RO, disableTable); - verifyDenied(USER_NONE, disableTable); + verifyDenied(USER_OWNER, deleteTable); + verifyDenied(USER_RW, deleteTable); + verifyDenied(USER_RO, deleteTable); + verifyDenied(USER_NONE, deleteTable); // verify that superuser can create tables - verifyAllowed(SUPERUSER, disableTable); + verifyAllowed(SUPERUSER, deleteTable); } @Test Index: security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java =================================================================== --- security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (revision 1326267) +++ security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (working copy) @@ -505,7 +505,11 @@ @Override public void preDeleteTable(ObserverContext c, byte[] tableName) throws IOException { - requirePermission(Permission.Action.CREATE); + if (isActiveUserTableOwner(c.getEnvironment(), tableName)) { + requirePermission(Permission.Action.CREATE); + } else { + requirePermission(Permission.Action.ADMIN); + } } @Override public void postDeleteTable(ObserverContext c, @@ -555,8 +559,11 @@ @Override public void preEnableTable(ObserverContext c, byte[] tableName) throws IOException { - /* TODO: Allow for users with global CREATE permission and the table owner */ - requirePermission(Permission.Action.ADMIN); + if (isActiveUserTableOwner(c.getEnvironment(), tableName)) { + requirePermission(Permission.Action.CREATE); + } else { + requirePermission(Permission.Action.ADMIN); + } } @Override public void postEnableTable(ObserverContext c, @@ -565,8 +572,11 @@ @Override public void preDisableTable(ObserverContext c, byte[] tableName) throws IOException { - /* TODO: Allow for users with global CREATE permission and the table owner */ - requirePermission(Permission.Action.ADMIN); + if (isActiveUserTableOwner(c.getEnvironment(), tableName)) { + requirePermission(Permission.Action.CREATE); + } else { + requirePermission(Permission.Action.ADMIN); + } } @Override public void postDisableTable(ObserverContext c, @@ -1027,4 +1037,16 @@ } return tableName; } + + private String getTableOwner(MasterCoprocessorEnvironment e, + byte[] tableName) throws IOException { + HTableDescriptor htd = e.getTable(tableName).getTableDescriptor(); + return htd.getOwnerString(); + } + + private boolean isActiveUserTableOwner(MasterCoprocessorEnvironment e, + byte[] tableName) throws IOException { + String activeUser = getActiveUser().getShortName(); + return activeUser.equals(getTableOwner(e, tableName)); + } }