From 85b1e87e1ca8097d8c35319150de828c660d22de Mon Sep 17 00:00:00 2001 From: Pankaj Kumar Date: Fri, 14 Oct 2016 23:16:50 +0800 Subject: [PATCH] HBASE-16724, Snapshot owner can't clone --- .../apache/hadoop/hbase/security/access/AccessController.java | 11 ++++++++++- .../hadoop/hbase/security/access/TestAccessController.java | 10 ++++------ src/main/asciidoc/_chapters/appendix_acl_matrix.adoc | 2 +- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 8047bb8..54364de 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -1305,7 +1305,16 @@ public class AccessController extends BaseMasterAndRegionObserver public void preCloneSnapshot(final ObserverContext ctx, final SnapshotDescription snapshot, final HTableDescriptor hTableDescriptor) throws IOException { - requirePermission("clone", Action.ADMIN); + User user = getActiveUser(); + if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user) + && hTableDescriptor.getNameAsString().equals(snapshot.getTable())) { + // Snapshot owner is allowed to create a table with the same name as the snapshot he took + AuthResult result = AuthResult.allow("clone" + snapshot.getName(), + "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null); + logResult(result); + } else { + requirePermission("clone", Action.ADMIN); + } } @Override diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 4bd68e0..e4179b2 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -2046,15 +2046,13 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), - null, null); + snapshot, htd); return null; } }; - // Clone by snapshot owner is not allowed , because clone operation creates a new table, - // which needs global admin permission. - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); - verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, - USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, USER_OWNER); + verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test diff --git a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc index 698ae82..e222875 100644 --- a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc +++ b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc @@ -100,7 +100,7 @@ In case the table goes out of date, the unit tests which check for accuracy of p | | stopMaster | superuser\|global(A) | | snapshot | superuser\|global(A)\|NS(A)\|TableOwner\|table(A) | | listSnapshot | superuser\|global(A)\|SnapshotOwner -| | cloneSnapshot | superuser\|global(A) +| | cloneSnapshot | superuser\|global(A)\|(SnapshotOwner & TableName matches) | | restoreSnapshot | superuser\|global(A)\|SnapshotOwner & (NS(A)\|TableOwner\|table(A)) | | deleteSnapshot | superuser\|global(A)\|SnapshotOwner | | createNamespace | superuser\|global(A) -- 2.7.2.windows.1