[
https://issues.apache.org/jira/browse/HBASE-16724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15529416#comment-15529416
]
Ashish Singhi commented on HBASE-16724:
---------------------------------------
Scenario:
user 'user1' (have admin and create rights on the namespace in which it create
the table below)
1. Create a table and takes the snapshot
2. Disable and drops the table
3. Performs restore_snapshot, which fails
Though there are sufficient permissions to the user 'user1' to execute
restore_snapshot as per [ACL
Matric|https://hbase.apache.org/book.html#appendix_acl_matrix] the access is
denied.
Currently when we restore a snapshot if the table that doesn't exist then
internally it will clone the snapshot which requires either superuser of global
admin permission only as per the ACL matrix and user1 lacks them, so it fails.
But the end user doesn't know about internal behavior.
So we think clone snapshot should also work with same permissions as
restore_snapshot.
WDYT [~mbertozzi]/Others ?
> Snapshot owner can't clone
> --------------------------
>
> Key: HBASE-16724
> URL: https://issues.apache.org/jira/browse/HBASE-16724
> Project: HBase
> Issue Type: Bug
> Components: snapshots
> Affects Versions: 2.0.0
> Reporter: Pankaj Kumar
> Assignee: Pankaj Kumar
>
> Currently only Global admin has the access of cloning a snapshot.
> In AccessController,
> {code}
> @Override
> public void preCloneSnapshot(final
> ObserverContext<MasterCoprocessorEnvironment> ctx,
> final SnapshotDescription snapshot, final HTableDescriptor
> hTableDescriptor)
> throws IOException {
> requirePermission(getActiveUser(ctx), "cloneSnapshot " +
> snapshot.getName(), Action.ADMIN);
> }
> {code}
> Snapshot owner should be able to clone it, need to add a check like,
> {code}
> SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
