From 2ac1dfbd68407bca89fa96c8ea91c5393d4cc99c Mon Sep 17 00:00:00 2001 From: Pankaj Kumar Date: Tue, 4 Oct 2016 21:44:30 +0800 Subject: [PATCH] HBASE-16724, Snapshot owner can't clone --- .../apache/hadoop/hbase/security/access/AccessController.java | 11 ++++++++++- .../hadoop/hbase/security/access/TestAccessController.java | 10 ++++------ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 1163c44..7ff9b6a 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -1334,7 +1334,16 @@ public class AccessController extends BaseMasterAndRegionObserver public void preCloneSnapshot(final ObserverContext ctx, final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { - requirePermission(getActiveUser(ctx), "cloneSnapshot " + snapshot.getName(), Action.ADMIN); + User user = getActiveUser(ctx); + if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user) + && hTableDescriptor.getNameAsString().equals(snapshot.getTable())) { + // Snapshot owner is allowed to create a table with the same name as the snapshot he took + AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(), + "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null); + logResult(result); + } else { + requirePermission(user, "cloneSnapshot " + snapshot.getName(), Action.ADMIN); + } } @Override diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 9ba0d0e..ef44693 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -2124,15 +2124,13 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), - snapshot, null); + snapshot, htd); return null; } }; - // Clone by snapshot owner is not allowed , because clone operation creates a new table, - // which needs global admin permission. - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); - verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, - USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, USER_OWNER); + verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test (timeout=180000) -- 2.7.2.windows.1