accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <ctubb...@apache.org>
Subject Re: 1.6.0: Namespace.CREATE_TABLE not enforced?
Date Sat, 16 Aug 2014 09:53:39 GMT
Both are not required. The intention of Namespace.CREATE_TABLE is so you
can grant the CREATE_TABLE permission to users working in a given namespace
without giving them the system-wide permission. This behaves similarly to
the Table.GRANT permission allowing a user to grant other permissions to
that specific table, but not to other tables, but the System.GRANT
permission can grant other permissions to any table.

It's also analogous to the system-wide configuration properties,
per-namespace properties that apply to all tables in a namespace, and
per-table configuration properties that apply only to a table.


--
Christopher L Tubbs II
http://gravatar.com/ctubbsii


On Fri, Aug 15, 2014 at 9:10 PM, Matthew Dailey <matthew.dailey1@gmail.com>
wrote:

> Ahh, so the intent of Namespace.CREATE_TABLE is to allow a user to create
> tables within a namespace without System.CREATE_TABLE.  I verified just
> giving the user Namespace.CREATE_TABLE let them make a table in my 'foo'
> namespace.  My guess was that both permissions were required, but it looks
> like that's not the case.
>
> Thanks!
>
>
> On Fri, Aug 15, 2014 at 8:51 PM, Josh Elser <josh.elser@gmail.com> wrote:
>
>> Looking at this, I'm guessing that System.CREATE_TABLE is overriding any
>> permissions on the namespace 'foo'.
>>
>> Because 'user' has the ability to create tables at the System level, I'm
>> guessing it trumps the lack of CREATE_TABLE for user on that namespace.
>>
>> Disclaimer: I haven't looked at the code to back up that guess.
>>
>>
>> On 8/15/14, 8:35 PM, Matthew Dailey wrote:
>>
>>>  From a clean Accumulo 1.6.0 install, I created a new user, gave them
>>> System.CREATE_TABLE, and created a new namespace, but did not give that
>>> user any permissions to that namespace.  However, I was then able to
>>> create a table under that namespace as the new user.
>>>
>>> Is there some default openness for namespaces?  My use case is having a
>>> user able to make sandbox tables within their own personal namespace.
>>>
>>> Thanks,
>>> Matt
>>>
>>> P.S.  Command dump follows:
>>>
>>> root@accumulo> createuser user
>>> root@accumulo> grant -u user -s System.CREATE_TABLE
>>> root@accumulo> createnamespace foo
>>> root@accumulo> user user
>>>
>>> user@accumulo> createtable foo.bar
>>> user@accumulo foo.bar> insert a b c d
>>> user@accumulo foo.bar> scan
>>> a b:c []    d
>>> user@accumulo foo.bar> userpermissions
>>> System permissions: System.CREATE_TABLE
>>>
>>> Namespace permissions (accumulo): Namespace.READ
>>>
>>> Table permissions (accumulo.metadata): Table.READ
>>> Table permissions (accumulo.root): Table.READ
>>> Table permissions (foo.bar): Table.READ, Table.WRITE, Table.BULK_IMPORT,
>>> Table.ALTER_TABLE, Table.GRANT, Table.DROP_TABLE
>>> user@accumulo foo.bar>
>>>
>>
>

Mime
View raw message