Index: hbase-server/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java =================================================================== --- hbase-server/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java (revision 1349631) +++ hbase-server/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java (working copy) @@ -1195,11 +1195,13 @@ .setScope(HConstants.REPLICATION_SCOPE_LOCAL) }); + @Deprecated public void setOwner(User owner) { setOwnerString(owner != null ? owner.getShortName() : null); } // used by admin.rb:alter(table_name,*args) to update owner. + @Deprecated public void setOwnerString(String ownerString) { if (ownerString != null) { setValue(OWNER_KEY, Bytes.toBytes(ownerString)); @@ -1208,12 +1210,14 @@ } } + @Deprecated public String getOwnerString() { if (getValue(OWNER_KEY) != null) { return Bytes.toString(getValue(OWNER_KEY)); } // Note that every table should have an owner (i.e. should have OWNER_KEY set). - // .META. and -ROOT- should return system user as owner, not null (see MasterFileSystem.java:bootstrap()). + // .META. and -ROOT- should return system user as owner, not null (see + // MasterFileSystem.java:bootstrap()). return null; } Index: hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java =================================================================== --- hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (revision 1349631) +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java (working copy) @@ -54,13 +54,12 @@ import org.apache.hadoop.hbase.regionserver.InternalScanner; import org.apache.hadoop.hbase.regionserver.RegionScanner; import org.apache.hadoop.hbase.regionserver.Store; -import org.apache.hadoop.hbase.regionserver.StoreFile; import org.apache.hadoop.hbase.regionserver.wal.WALEdit; import org.apache.hadoop.hbase.security.AccessDeniedException; import org.apache.hadoop.hbase.security.User; +import org.apache.hadoop.hbase.security.access.Permission.Action; import org.apache.hadoop.hbase.util.Bytes; -import com.google.common.collect.ImmutableList; import com.google.common.collect.ListMultimap; import com.google.common.collect.Lists; import com.google.common.collect.MapMaker; @@ -250,7 +249,6 @@ RegionCoprocessorEnvironment e, Map> families) { HRegionInfo hri = e.getRegion().getRegionInfo(); - HTableDescriptor htd = e.getRegion().getTableDesc(); byte[] tableName = hri.getTableName(); // 1. All users need read access to .META. and -ROOT- tables. @@ -279,19 +277,12 @@ return AuthResult.allow("Table permission granted", user, permRequest, tableName); } - // 2. The table owner has full privileges - String owner = htd.getOwnerString(); - if (user.getShortName().equals(owner)) { - // owner of the table has full access - return AuthResult.allow("User is table owner", user, permRequest, tableName); - } - - // 3. check for the table-level, if successful we can short-circuit + // 2. check for the table-level, if successful we can short-circuit if (authManager.authorize(user, tableName, (byte[])null, permRequest)) { return AuthResult.allow("Table permission granted", user, permRequest, tableName); } - // 4. check permissions against the requested families + // 3. check permissions against the requested families if (families != null && families.size() > 0) { // all families must pass for (Map.Entry> family : families.entrySet()) { @@ -335,7 +326,7 @@ tableName); } - // 5. no families to check and table level access failed + // 4. no families to check and table level access failed return AuthResult.deny("No families to check and table permission failed", user, permRequest, tableName); } @@ -365,38 +356,24 @@ } /** - * Authorizes that the current user has "admin" privileges for the given table. - * that means he/she can edit/modify/delete the table. - * If current user is the table owner, and has CREATE permission, - * then he/she has table admin permission. otherwise ADMIN rights are checked. - * @param e Coprocessor environment + * Authorizes that the current user has any of the given permissions for the given table. * @param tableName Table requested * @throws IOException if obtaining the current user fails - * @throws AccessDeniedException if authorization is denied + * @throws AccessDeniedException if user has no authorization */ - private void requireTableAdminPermission(CoprocessorEnvironment e, byte[] tableName) + private void requireAnyTablePermission(byte[] tableName, Action... permissions) throws IOException { User user = getActiveUser(); AuthResult result = null; - // Table admins are allowed to perform DDL - if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.ADMIN)) { - result = AuthResult.allow("Table permission granted", user, TablePermission.Action.ADMIN, - tableName); - } else if (isActiveUserTableOwner(e, tableName)) { - // Table owners with Create permission are allowed to perform DDL - if (authManager.authorize(user, tableName, (byte[]) null, TablePermission.Action.CREATE)) { - result = AuthResult.allow("Owner has table permission", user, - TablePermission.Action.CREATE, tableName); + for (Action permission : permissions) { + if (authManager.authorize(user, tableName, (byte[]) null, permission)) { + result = AuthResult.allow("Table permission granted", user, permission, tableName); + break; } else { - // Table owners without Create permission cannot perform DDL - result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.CREATE, - tableName); + // rest of the world + result = AuthResult.deny("Insufficient permissions", user, permission, tableName); } - } else { - // rest of the world - result = AuthResult.deny("Insufficient permissions", user, TablePermission.Action.ADMIN, - tableName); } logResult(result); if (!result.isAllowed()) { @@ -540,14 +517,8 @@ public void preCreateTable(ObserverContext c, HTableDescriptor desc, HRegionInfo[] regions) throws IOException { requirePermission(Permission.Action.CREATE); - - // default the table owner if not specified - User owner = getActiveUser(); - if (desc.getOwnerString() == null || - desc.getOwnerString().equals("")) { - desc.setOwner(owner); - } } + @Override public void preCreateTableHandler(ObserverContext c, HTableDescriptor desc, HRegionInfo[] regions) throws IOException {} @@ -562,7 +533,7 @@ @Override public void preDeleteTable(ObserverContext c, byte[] tableName) throws IOException { - requireTableAdminPermission(c.getEnvironment(), tableName); + requireAnyTablePermission(tableName, Action.ADMIN, Action.CREATE); } @Override public void preDeleteTableHandler(ObserverContext c, @@ -579,7 +550,7 @@ @Override public void preModifyTable(ObserverContext c, byte[] tableName, HTableDescriptor htd) throws IOException { - requireTableAdminPermission(c.getEnvironment(), tableName); + requireAnyTablePermission(tableName, Action.ADMIN, Action.CREATE); } @Override public void preModifyTableHandler(ObserverContext c, @@ -595,7 +566,7 @@ @Override public void preAddColumn(ObserverContext c, byte[] tableName, HColumnDescriptor column) throws IOException { - requireTableAdminPermission(c.getEnvironment(), tableName); + requireAnyTablePermission(tableName, Action.ADMIN, Action.CREATE); } @Override public void preAddColumnHandler(ObserverContext c, @@ -610,7 +581,7 @@ @Override public void preModifyColumn(ObserverContext c, byte[] tableName, HColumnDescriptor descriptor) throws IOException { - requireTableAdminPermission(c.getEnvironment(), tableName); + requireAnyTablePermission(tableName, Action.ADMIN, Action.CREATE); } @Override public void preModifyColumnHandler(ObserverContext c, @@ -626,7 +597,7 @@ @Override public void preDeleteColumn(ObserverContext c, byte[] tableName, byte[] col) throws IOException { - requireTableAdminPermission(c.getEnvironment(), tableName); + requireAnyTablePermission(tableName, Action.ADMIN, Action.CREATE); } @Override public void preDeleteColumnHandler(ObserverContext c, @@ -644,7 +615,7 @@ @Override public void preEnableTable(ObserverContext c, byte[] tableName) throws IOException { - requireTableAdminPermission(c.getEnvironment(), tableName); + requireAnyTablePermission(tableName, Action.ADMIN, Action.CREATE); } @Override public void preEnableTableHandler(ObserverContext c, @@ -659,7 +630,7 @@ @Override public void preDisableTable(ObserverContext c, byte[] tableName) throws IOException { - requireTableAdminPermission(c.getEnvironment(), tableName); + requireAnyTablePermission(tableName, Action.ADMIN, Action.CREATE); } @Override public void preDisableTableHandler(ObserverContext c, @@ -773,18 +744,18 @@ @Override public void preFlush(ObserverContext e) throws IOException { - requireTableAdminPermission(e.getEnvironment(), getTableName(e.getEnvironment())); + requireAnyTablePermission(getTableName(e.getEnvironment()), Action.ADMIN); } @Override public void preSplit(ObserverContext e) throws IOException { - requireTableAdminPermission(e.getEnvironment(), getTableName(e.getEnvironment())); + requireAnyTablePermission(getTableName(e.getEnvironment()), Action.ADMIN); } @Override public InternalScanner preCompact(ObserverContext e, final Store store, final InternalScanner scanner) throws IOException { - requireTableAdminPermission(e.getEnvironment(), getTableName(e.getEnvironment())); + requireAnyTablePermission(getTableName(e.getEnvironment()), Action.ADMIN); return scanner; } @@ -1155,15 +1126,4 @@ } return tableName; } - - private String getTableOwner(CoprocessorEnvironment e, byte[] tableName) throws IOException { - HTableDescriptor htd = e.getTable(tableName).getTableDescriptor(); - return htd.getOwnerString(); - } - - private boolean isActiveUserTableOwner(CoprocessorEnvironment e, byte[] tableName) - throws IOException { - String activeUser = getActiveUser().getShortName(); - return activeUser.equals(getTableOwner(e, tableName)); - } } Index: hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java =================================================================== --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java (revision 1349631) +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java (working copy) @@ -27,11 +27,8 @@ import java.util.List; import java.util.Map; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.Coprocessor; -import org.apache.hadoop.hbase.CoprocessorEnvironment; import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HRegionInfo; @@ -69,8 +66,8 @@ * levels of authorized users. */ @Category(LargeTests.class) +@SuppressWarnings("rawtypes") public class TestAccessController { - private static Log LOG = LogFactory.getLog(TestAccessController.class); private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static Configuration conf; @@ -78,14 +75,14 @@ private static User SUPERUSER; // user granted with all global permission private static User USER_ADMIN; - // table owner user - private static User USER_OWNER; // user with rw permissions private static User USER_RW; // user with read-only permissions private static User USER_RO; - // user with table admin permissions - private static User USER_TBLADM; + // user with table create permissions + private static User USER_TBL_C; + // user with all table permissions - equivalent to creator of the table + private static User USER_TBLALL; // user with no permissions private static User USER_NONE; @@ -114,16 +111,15 @@ // create a set of test users SUPERUSER = User.createUserForTesting(conf, "admin", new String[]{"supergroup"}); USER_ADMIN = User.createUserForTesting(conf, "admin2", new String[0]); - USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); - USER_TBLADM = User.createUserForTesting(conf, "tbladm", new String[0]); + USER_TBL_C = User.createUserForTesting(conf, "tbl_c", new String[0]); + USER_TBLALL = User.createUserForTesting(conf, "tblall", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); HBaseAdmin admin = TEST_UTIL.getHBaseAdmin(); HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); - htd.setOwnerString(USER_OWNER.getShortName()); admin.createTable(htd); // initilize access control @@ -146,8 +142,11 @@ protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()), TEST_TABLE, TEST_FAMILY, Permission.Action.READ)); - protocol.grant(new UserPermission(Bytes.toBytes(USER_TBLADM.getShortName()), - TEST_TABLE, null, Permission.Action.ADMIN)); + protocol.grant(new UserPermission(Bytes.toBytes(USER_TBL_C.getShortName()), + TEST_TABLE, null, Permission.Action.CREATE)); + + protocol.grant(new UserPermission(Bytes.toBytes(USER_TBLALL.getShortName()), TEST_TABLE, null, + Permission.Action.values())); } @AfterClass @@ -219,14 +218,10 @@ }; // verify that superuser can create tables - verifyAllowed(SUPERUSER, createTable); - verifyAllowed(USER_ADMIN, createTable); + verifyAllowed(createTable, SUPERUSER, USER_ADMIN); // all others should be denied - verifyDenied(USER_OWNER, createTable); - verifyDenied(USER_RW, createTable); - verifyDenied(USER_RO, createTable); - verifyDenied(USER_NONE, createTable); + verifyDenied(createTable, USER_TBLALL, USER_RW, USER_RO, USER_NONE); } @Test @@ -241,16 +236,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, modifyTable); - verifyDenied(USER_RW, modifyTable); - verifyDenied(USER_RO, modifyTable); - verifyDenied(USER_NONE, modifyTable); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, modifyTable); - verifyAllowed(USER_ADMIN, modifyTable); - verifyAllowed(USER_TBLADM, modifyTable); + verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_TBLALL, USER_TBL_C); + verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE); } @Test @@ -262,16 +249,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, deleteTable); - verifyDenied(USER_RW, deleteTable); - verifyDenied(USER_RO, deleteTable); - verifyDenied(USER_NONE, deleteTable); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, deleteTable); - verifyAllowed(USER_ADMIN, deleteTable); - verifyAllowed(USER_TBLADM, deleteTable); + verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_TBLALL, USER_TBL_C); + verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE); } @Test @@ -284,16 +263,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_RO, action); - verifyDenied(USER_NONE, action); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); - verifyAllowed(USER_TBLADM, action); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLALL, USER_TBL_C); + verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @Test @@ -307,16 +278,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_RO, action); - verifyDenied(USER_NONE, action); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); - verifyAllowed(USER_TBLADM, action); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLALL, USER_TBL_C); + verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @Test @@ -328,16 +291,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_RO, action); - verifyDenied(USER_NONE, action); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); - verifyAllowed(USER_TBLADM, action); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLALL, USER_TBL_C); + verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @Test @@ -349,16 +304,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, disableTable); - verifyDenied(USER_RW, disableTable); - verifyDenied(USER_RO, disableTable); - verifyDenied(USER_NONE, disableTable); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, disableTable); - verifyAllowed(USER_ADMIN, disableTable); - verifyAllowed(USER_TBLADM, disableTable); + verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_TBLALL, USER_TBL_C); + verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE); } @Test @@ -370,16 +317,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, enableTable); - verifyDenied(USER_RW, enableTable); - verifyDenied(USER_RO, enableTable); - verifyDenied(USER_NONE, enableTable); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, enableTable); - verifyAllowed(USER_ADMIN, enableTable); - verifyAllowed(USER_TBLADM, enableTable); + verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_TBLALL, USER_TBL_C); + verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE); } @Test @@ -397,15 +336,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_RO, action); - verifyDenied(USER_NONE, action); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); + verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyDenied(action, USER_TBLALL, USER_TBL_C, USER_RW, USER_RO, USER_NONE); } @Test @@ -423,15 +355,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_RO, action); - verifyDenied(USER_NONE, action); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); + verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyDenied(action, USER_TBLALL, USER_TBL_C, USER_RW, USER_RO, USER_NONE); } @Test @@ -449,15 +374,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_RO, action); - verifyDenied(USER_NONE, action); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); + verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyDenied(action, USER_TBLALL, USER_TBL_C, USER_RW, USER_RO, USER_NONE); } @Test @@ -469,15 +387,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_RO, action); - verifyDenied(USER_NONE, action); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); + verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyDenied(action, USER_TBLALL, USER_TBL_C, USER_RW, USER_RO, USER_NONE); } @Test @@ -489,15 +400,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_RO, action); - verifyDenied(USER_NONE, action); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); + verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyDenied(action, USER_TBLALL, USER_TBL_C, USER_RW, USER_RO, USER_NONE); } @Test @@ -509,15 +413,8 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_RO, action); - verifyDenied(USER_NONE, action); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); + verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyDenied(action, USER_TBLALL, USER_TBL_C, USER_RW, USER_RO, USER_NONE); } @Test @@ -529,27 +426,13 @@ } }; - // all others should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_RO, action); - verifyDenied(USER_NONE, action); - - // verify that superuser can create tables - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); + verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyDenied(action, USER_TBLALL, USER_TBL_C, USER_RW, USER_RO, USER_NONE); } private void verifyWrite(PrivilegedExceptionAction action) throws Exception { - // should be denied - verifyDenied(USER_NONE, action); - verifyDenied(USER_RO, action); - - // should be allowed - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); - verifyAllowed(USER_OWNER, action); - verifyAllowed(USER_RW, action); + verifyDenied(action, USER_NONE, USER_RO); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLALL, USER_RW); } @Test @@ -561,11 +444,8 @@ } }; - // verify that superuser and admin only can split - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLADM); - - // all others should be denied - verifyDenied(action, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLALL); + verifyDenied(action, USER_TBL_C, USER_RW, USER_RO, USER_NONE); } @Test @@ -577,11 +457,8 @@ } }; - // verify that superuser and admin only can flush - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLADM); - - // all others should be denied - verifyDenied(action, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLALL); + verifyDenied(action, USER_TBL_C, USER_RW, USER_RO, USER_NONE); } @Test @@ -593,35 +470,18 @@ } }; - // verify that superuser and admin only can compact - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLADM); - - // all others should be denied - verifyDenied(action, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLALL); + verifyDenied(action, USER_TBL_C, USER_RW, USER_RO, USER_NONE); } private void verifyRead(PrivilegedExceptionAction action) throws Exception { - // should be denied - verifyDenied(USER_NONE, action); - - // should be allowed - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); - verifyAllowed(USER_OWNER, action); - verifyAllowed(USER_RW, action); - verifyAllowed(USER_RO, action); + verifyDenied(action, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLALL, USER_RW, USER_RO); } private void verifyReadWrite(PrivilegedExceptionAction action) throws Exception { - // should be denied - verifyDenied(USER_NONE, action); - verifyDenied(USER_RO, action); - - // should be allowed - verifyAllowed(SUPERUSER, action); - verifyAllowed(USER_ADMIN, action); - verifyAllowed(USER_OWNER, action); - verifyAllowed(USER_RW, action); + verifyDenied(action, USER_NONE, USER_RO); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_TBLALL, USER_RW); } @Test @@ -749,7 +609,6 @@ HTableDescriptor htd = new HTableDescriptor(tableName); htd.addFamily(new HColumnDescriptor(family1)); htd.addFamily(new HColumnDescriptor(family2)); - htd.setOwnerString(USER_OWNER.getShortName()); admin.createTable(htd); // create temp users @@ -981,7 +840,6 @@ HTableDescriptor htd = new HTableDescriptor(tableName); htd.addFamily(new HColumnDescriptor(family1)); htd.addFamily(new HColumnDescriptor(family2)); - htd.setOwnerString(USER_OWNER.getShortName()); admin.createTable(htd); // create temp users @@ -1086,7 +944,6 @@ HTableDescriptor htd = new HTableDescriptor(tableName); htd.addFamily(new HColumnDescriptor(family1)); htd.addFamily(new HColumnDescriptor(family2)); - htd.setOwnerString(USER_OWNER.getShortName()); admin.createTable(htd); HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); @@ -1139,14 +996,9 @@ /** global operations*/ private void verifyGlobal(PrivilegedExceptionAction action) throws Exception { - // should be allowed - verifyAllowed(SUPERUSER, action); + verifyAllowed(action, SUPERUSER); - // should be denied - verifyDenied(USER_OWNER, action); - verifyDenied(USER_RW, action); - verifyDenied(USER_NONE, action); - verifyDenied(USER_RO, action); + verifyDenied(action, USER_TBLALL, USER_RW, USER_NONE, USER_RO); } public void checkGlobalPerms(Permission.Action... actions) throws IOException { @@ -1309,7 +1161,7 @@ } }; // should be allowed - verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_RW); + verifyAllowed(familyReadWrite, SUPERUSER, USER_TBLALL, USER_RW); // should be denied verifyDenied(familyReadWrite, USER_NONE, USER_RO);