Return-Path: X-Original-To: apmail-accumulo-user-archive@www.apache.org Delivered-To: apmail-accumulo-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2E3B7113BD for ; Sat, 16 Aug 2014 01:11:59 +0000 (UTC) Received: (qmail 53493 invoked by uid 500); 16 Aug 2014 01:11:59 -0000 Delivered-To: apmail-accumulo-user-archive@accumulo.apache.org Received: (qmail 53460 invoked by uid 500); 16 Aug 2014 01:11:58 -0000 Mailing-List: contact user-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@accumulo.apache.org Delivered-To: mailing list user@accumulo.apache.org Received: (qmail 53450 invoked by uid 99); 16 Aug 2014 01:11:58 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 16 Aug 2014 01:11:58 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of tallirishllama@gmail.com designates 209.85.192.43 as permitted sender) Received: from [209.85.192.43] (HELO mail-qg0-f43.google.com) (209.85.192.43) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 16 Aug 2014 01:11:52 +0000 Received: by mail-qg0-f43.google.com with SMTP id a108so2759718qge.16 for ; Fri, 15 Aug 2014 18:11:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=OfvPstK+gl3iA+f43cDADU95X9UdJYK/pmbZToXjEEs=; b=A7aFKjNKhXBSMnt4G1VVsydocVPaSuCs3A6Uk8vQqNG0qgYvDnnEz9iATe2ZZciNDK eL2+ix0vnC5I9Q0QTps0f3IR3CXmQkyVK7JUmHUyuapigYJaQ9RMZQLMFsQprMo/ea2k scwJrSq51UsLFBYWxoDhUs/kuiHtFWe+k5XeMQHimby5h3FNTPjYJsLPZCXxkm1YJBBw 434jalaP+CKXXo/Y9EqwlMfevPsZaNAVhqIT4pxa80MZDcLvIEZPK2VdQwHyZOM8EOfn rY0RBr/X1nAP8LH/5/04GfIgM+Krzp5HK9ZuoqjLGSzRj6dGNbqZBIGIXXMmfKKF/yKT lQbg== X-Received: by 10.224.115.134 with SMTP id i6mr33573338qaq.71.1408151491680; Fri, 15 Aug 2014 18:11:31 -0700 (PDT) Received: from [192.168.16.61] ([98.204.38.82]) by mx.google.com with ESMTPSA id o3sm16733639qab.21.2014.08.15.18.11.30 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Aug 2014 18:11:31 -0700 (PDT) Message-ID: <53EEAFB5.4050104@gmail.com> Date: Fri, 15 Aug 2014 18:11:17 -0700 From: Sean Hickey User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: user@accumulo.apache.org Subject: Re: 1.6.0: Namespace.CREATE_TABLE not enforced? References: <53EEAAFE.9040601@gmail.com> In-Reply-To: <53EEAAFE.9040601@gmail.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Yep, I think Josh is correct. System permissions override Namespace permissions (so giving them System.CREATE_TABLE lets them create tables in any namespace) and Namespace permissions override any individual Table permissions. (at least that's how I implemented it originally, I don't think the permissions model would've changed much since then). Sean On 08/15/2014 05:51 PM, Josh Elser wrote: > Looking at this, I'm guessing that System.CREATE_TABLE is > overriding any permissions on the namespace 'foo'. > > Because 'user' has the ability to create tables at the System > level, I'm guessing it trumps the lack of CREATE_TABLE for user on > that namespace. > > Disclaimer: I haven't looked at the code to back up that guess. > > On 8/15/14, 8:35 PM, Matthew Dailey wrote: >> From a clean Accumulo 1.6.0 install, I created a new user, gave >> them System.CREATE_TABLE, and created a new namespace, but did >> not give that user any permissions to that namespace. However, I >> was then able to create a table under that namespace as the new >> user. >> >> Is there some default openness for namespaces? My use case is >> having a user able to make sandbox tables within their own >> personal namespace. >> >> Thanks, Matt >> >> P.S. Command dump follows: >> >> root@accumulo> createuser user root@accumulo> grant -u user -s >> System.CREATE_TABLE root@accumulo> createnamespace foo >> root@accumulo> user user >> >> user@accumulo> createtable foo.bar user@accumulo foo.bar> insert >> a b c d user@accumulo foo.bar> scan a b:c [] d user@accumulo >> foo.bar> userpermissions System permissions: System.CREATE_TABLE >> >> Namespace permissions (accumulo): Namespace.READ >> >> Table permissions (accumulo.metadata): Table.READ Table >> permissions (accumulo.root): Table.READ Table permissions >> (foo.bar): Table.READ, Table.WRITE, Table.BULK_IMPORT, >> Table.ALTER_TABLE, Table.GRANT, Table.DROP_TABLE user@accumulo >> foo.bar>