Index: hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java =================================================================== --- hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (revision 1347877) +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (working copy) @@ -372,13 +372,34 @@ * @throws IOException if obtaining the current user fails * @throws AccessDeniedException if authorization is denied */ - private void requireTableAdminPermission(MasterCoprocessorEnvironment e, - byte[] tableName) throws IOException { - if (isActiveUserTableOwner(e, tableName)) { - requirePermission(Permission.Action.CREATE); + private void requireTableAdminPermission(MasterCoprocessorEnvironment e, byte[] tableName) + throws IOException { + User user = getActiveUser(); + AuthResult result = null; + + // Table admins are allowed to perform DDL + if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.ADMIN)) { + result = AuthResult.allow("Table permission granted", user, TablePermission.Action.ADMIN, + tableName); + } else if (isActiveUserTableOwner(e, tableName)) { + // Table owners with Create permission are allowed to perform DDL + if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.CREATE)) { + result = AuthResult.allow("Owner has table permission", user, + TablePermission.Action.CREATE, tableName); + } else { + // Table owners without Create permission cannot perform DDL + result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.CREATE, + tableName); + } } else { - requirePermission(Permission.Action.ADMIN); + // rest of the world + result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.ADMIN, + tableName); } + logResult(result); + if (!result.isAllowed()) { + throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); + } } /** Index: hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java =================================================================== --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java (revision 1347877) +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java (working copy) @@ -80,6 +80,8 @@ private static User USER_RW; // user with read-only permissions private static User USER_RO; + // user with table admin permissions + private static User USER_TBLADM; // user with no permissions private static User USER_NONE; @@ -110,6 +112,7 @@ USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); + USER_TBLADM = User.createUserForTesting(conf, "tbladm", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); HBaseAdmin admin = TEST_UTIL.getHBaseAdmin(); @@ -132,6 +135,9 @@ protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()), TEST_TABLE, TEST_FAMILY, Permission.Action.READ)); + + protocol.grant(new UserPermission(Bytes.toBytes(USER_TBLADM.getShortName()), + TEST_TABLE, null, Permission.Action.ADMIN)); } @AfterClass @@ -232,6 +238,7 @@ // verify that superuser can create tables verifyAllowed(SUPERUSER, modifyTable); verifyAllowed(USER_ADMIN, modifyTable); + verifyAllowed(USER_TBLADM, modifyTable); } @Test @@ -252,6 +259,7 @@ // verify that superuser can create tables verifyAllowed(SUPERUSER, deleteTable); verifyAllowed(USER_ADMIN, deleteTable); + verifyAllowed(USER_TBLADM, deleteTable); } @Test @@ -273,6 +281,7 @@ // verify that superuser can create tables verifyAllowed(SUPERUSER, action); verifyAllowed(USER_ADMIN, action); + verifyAllowed(USER_TBLADM, action); } @Test @@ -295,6 +304,7 @@ // verify that superuser can create tables verifyAllowed(SUPERUSER, action); verifyAllowed(USER_ADMIN, action); + verifyAllowed(USER_TBLADM, action); } @Test @@ -315,6 +325,7 @@ // verify that superuser can create tables verifyAllowed(SUPERUSER, action); verifyAllowed(USER_ADMIN, action); + verifyAllowed(USER_TBLADM, action); } @Test @@ -335,6 +346,7 @@ // verify that superuser can create tables verifyAllowed(SUPERUSER, disableTable); verifyAllowed(USER_ADMIN, disableTable); + verifyAllowed(USER_TBLADM, disableTable); } @Test @@ -355,6 +367,7 @@ // verify that superuser can create tables verifyAllowed(SUPERUSER, enableTable); verifyAllowed(USER_ADMIN, enableTable); + verifyAllowed(USER_TBLADM, enableTable); } @Test