accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <josh.el...@gmail.com>
Subject Re: 1.6.0: Namespace.CREATE_TABLE not enforced?
Date Sat, 16 Aug 2014 00:51:10 GMT
Looking at this, I'm guessing that System.CREATE_TABLE is overriding any 
permissions on the namespace 'foo'.

Because 'user' has the ability to create tables at the System level, I'm 
guessing it trumps the lack of CREATE_TABLE for user on that namespace.

Disclaimer: I haven't looked at the code to back up that guess.

On 8/15/14, 8:35 PM, Matthew Dailey wrote:
>  From a clean Accumulo 1.6.0 install, I created a new user, gave them
> System.CREATE_TABLE, and created a new namespace, but did not give that
> user any permissions to that namespace.  However, I was then able to
> create a table under that namespace as the new user.
>
> Is there some default openness for namespaces?  My use case is having a
> user able to make sandbox tables within their own personal namespace.
>
> Thanks,
> Matt
>
> P.S.  Command dump follows:
>
> root@accumulo> createuser user
> root@accumulo> grant -u user -s System.CREATE_TABLE
> root@accumulo> createnamespace foo
> root@accumulo> user user
>
> user@accumulo> createtable foo.bar
> user@accumulo foo.bar> insert a b c d
> user@accumulo foo.bar> scan
> a b:c []    d
> user@accumulo foo.bar> userpermissions
> System permissions: System.CREATE_TABLE
>
> Namespace permissions (accumulo): Namespace.READ
>
> Table permissions (accumulo.metadata): Table.READ
> Table permissions (accumulo.root): Table.READ
> Table permissions (foo.bar): Table.READ, Table.WRITE, Table.BULK_IMPORT,
> Table.ALTER_TABLE, Table.GRANT, Table.DROP_TABLE
> user@accumulo foo.bar>

Mime
View raw message