diff --git hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 3e5635a..27eef4a 100644 --- hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -171,6 +171,8 @@ public class AccessController extends BaseMasterAndRegionObserver private Map scannerOwners = new MapMaker().weakKeys().makeMap(); + private Map> tableAcls; + // Provider for mapping principal names to Users private UserProvider userProvider; @@ -859,6 +861,8 @@ public class AccessController extends BaseMasterAndRegionObserver } else { throw new RuntimeException("Error obtaining TableAuthManager, zk found null."); } + + tableAcls = new MapMaker().weakValues().makeMap(); } public void stop(CoprocessorEnvironment env) { @@ -936,7 +940,24 @@ public class AccessController extends BaseMasterAndRegionObserver @Override public void preTruncateTable(ObserverContext c, TableName tableName) throws IOException { - requirePermission("truncateTable", tableName, null, null, Action.ADMIN, Action.CREATE); + requirePermission("truncateTable", tableName, null, null, Action.ADMIN); + List acls = AccessControlLists.getUserTablePermissions(c.getEnvironment() + .getConfiguration(), tableName); + if (acls != null) { + tableAcls.put(tableName, acls); + } + } + + @Override + public void postTruncateTable(ObserverContext ctx, + TableName tableName) throws IOException { + List perms = tableAcls.get(tableName); + if (perms != null) { + for (UserPermission perm : perms) { + AccessControlLists.addUserPermission(ctx.getEnvironment().getConfiguration(), perm); + } + } + tableAcls.remove(tableName); } @Override diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index f0f7a14..9a01e7d 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -37,6 +37,7 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.permission.FsPermission; import org.apache.hadoop.hbase.Coprocessor; import org.apache.hadoop.hbase.CoprocessorEnvironment; +import org.apache.hadoop.hbase.HBaseIOException; import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HConstants; @@ -333,8 +334,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN); + verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE,USER_CREATE, USER_OWNER); } @Test @@ -2179,4 +2180,21 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(putWithReservedTag, USER_OWNER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO); } + @Test + public void testTruncatePerms() throws Exception { + try { + List existingPerms = AccessControlClient.getUserPermissions(conf, TEST_TABLE + .getTableName().getNameAsString()); + assertTrue(existingPerms != null); + assertTrue(existingPerms.size() > 1); + TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE.getTableName()); + TEST_UTIL.getHBaseAdmin().truncateTable(TEST_TABLE.getTableName(), true); + List perms = AccessControlClient.getUserPermissions(conf, TEST_TABLE + .getTableName().getNameAsString()); + assertTrue(perms != null); + assertEquals(existingPerms.size(), perms.size()); + } catch (Throwable e) { + throw new HBaseIOException(e); + } + } }