hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mi...@apache.org
Subject hbase git commit: HBASE-12723 Update ACL matrix to reflect reality <Srikanth Srungarapu>
Date Mon, 09 Mar 2015 22:20:53 GMT
Repository: hbase
Updated Branches:
  refs/heads/master fb5e6b3f7 -> 61cc8e0de


HBASE-12723 Update ACL matrix to reflect reality <Srikanth Srungarapu>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/61cc8e0d
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/61cc8e0d
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/61cc8e0d

Branch: refs/heads/master
Commit: 61cc8e0de12987b1d64fd06fa27a55c89c4a742f
Parents: fb5e6b3
Author: Misty Stanley-Jones <mstanleyjones@cloudera.com>
Authored: Tue Mar 10 08:20:41 2015 +1000
Committer: Misty Stanley-Jones <mstanleyjones@cloudera.com>
Committed: Tue Mar 10 08:20:41 2015 +1000

----------------------------------------------------------------------
 .../asciidoc/_chapters/appendix_acl_matrix.adoc | 134 +++++++++++--------
 1 file changed, 81 insertions(+), 53 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/61cc8e0d/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
index 7cf70b2..bf35c1a 100644
--- a/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
+++ b/src/main/asciidoc/_chapters/appendix_acl_matrix.adoc
@@ -30,7 +30,7 @@
 :toc: left
 :source-language: java
 
-The following matrix shows the minimum permission set required to perform operations in HBase.
+The following matrix shows the permission set required to perform operations in HBase.
 Before using the table, read through the information about how to interpret it.
 
 .Interpreting the ACL Matrix Table
@@ -70,64 +70,92 @@ The [systemitem]+hbase:meta+ table is readable by every user, regardless
of the
   This is a requirement for HBase to function correctly.
 `CheckAndPut` and `CheckAndDelete` operations will fail if the user does not have both Write
and Read permission.::
 `Increment` and `Append` operations do not require Read access.::
+The `superuser`, as the name suggests has permissions to perform all possible operations.::
+And for the operations marked with *, the checks are done in post hook and only subset of
results satisfying access checks are returned back to the user.::
 
 The following table is sorted by the interface that provides each operation.
 In case the table goes out of date, the unit tests which check for accuracy of permissions
can be found in _hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java_,
and the access controls themselves can be examined in _hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java_.
 
 .ACL Matrix
-[cols="1,1,1,1", frame="all", options="header"]
+[cols="1,1,1", frame="all", options="header"]
 |===
-| Interface | Operation | Minimum Scope | Minimum Permission
-| Master | createTable | Global | C
-|        | modifyTable | Table | A\|C                    
-|        | deleteTable | Table | A\|C                   
-| | truncateTable | Table | A\|C                   
-| | addColumn | Table | A\|C
-| | modifyColumn | Table | A\|C
-| | deleteColumn | Table | A\|C
-| | disableTable | Table | A\|C
-| | disableAclTable | None | Not allowed
-| | enableTable | Table | A\|C
-| | move | Global | A
-| | assign | Global | A
-| | unassign | Global | A
-| | regionOffline | Global | A
-| | balance | Global | A
-| | balanceSwitch | Global | A
-| | shutdown | Global | A
-| | stopMaster | Global | A
-| | snapshot | Global | A
-| | clone | Global | A
-| | restore | Global | A
-| | deleteSnapshot | Global | A
-| | createNamespace | Global | A
-| | deleteNamespace | Namespace | A
-| | modifyNamespace | Namespace | A
-| | flushTable | Table | A\|C
-| | getTableDescriptors | Global\|Table | A
-| | mergeRegions | Global | A
-| Region | openRegion | Global | A
-| | closeRegion | Global | A
-| | stopRegionServer | Global | A
-| | rollHLog | Global | A
-| | mergeRegions | Global | A
-| | flush | Global\|Table | A\|C 
-| | split | Global\|Table | A
-| | compact | Global\|Table | A\|C
-| | bulkLoadHFile    | Table | W
-| | prepareBulkLoad  | Table |C
-| | cleanupBulkLoad  | Table |W
-| | checkAndDelete   | Table\|CF\|CQ | RW
-| | checkAndPut | Table\|CF\|CQ | RW
-| | incrementColumnValue  | Table\|CF\|CQ | RW
-| | scannerClose |     Table | R
-| | scannerNext | Table |  R
-| | scannerOpen | Table\|CF\|CQ | R     
-| Endpoint | invoke | Endpoint | X
-| AccessController | grant | Global\|Table\|NS | A 
-| | revoke | Global\|Table\|NS | A                   
-| | getUserPermissions | Global\|Table\|NS | A
-| | checkPermissions | Global\|Table\|NS | A                 
+| Interface | Operation | Permissions
+| Master | createTable | superuser\|global\(C)\|NS\(C)
+|        | modifyTable | superuser\|global(A)\|global\(C)\|NS(A)\|NS\(C)\|table(A)\|table\(C)
+|        | deleteTable | superuser\|global(A)\|global\(C)\|NS(A)\|NS\(C)\|table(A)\|table\(C)
+|        | truncateTable | superuser\|global(A)\|global\(C)\|NS(A)\|NS\(C)\|table(A)\|table\(C)
+|        | addColumn | superuser\|global(A)\|global\(C)\|NS(A)\|NS\(C)\|table(A)\|table\(C)
+|        | modifyColumn | superuser\|global(A)\|global\(C)\|NS(A)\|NS\(C)\|table(A)\|table\(C)\|column(A)\|column\(C)
+|        | deleteColumn | superuser\|global(A)\|global\(C)\|NS(A)\|NS\(C)\|table(A)\|table\(C)\|column(A)\|column\(C)
+|        | enableTable | superuser\|global(A)\|global\(C)\|NS(A)\|NS\(C)\|table(A)\|table\(C)
+|        | disableTable | superuser\|global(A)\|global\(C)\|NS(A)\|NS\(C)\|table(A)\|table\(C)
+|        | disableAclTable | Not allowed
+|        | move | superuser\|global(A)\|NS(A)\|Table(A)
+|        | assign | superuser\|global(A)\|NS(A)\|Table(A)
+|        | unassign | superuser\|global(A)\|NS(A)\|Table(A)
+|        | regionOffline | superuser\|global(A)\|NS(A)\|Table(A)
+|        | balance | superuser\|global(A)
+|        | balanceSwitch | superuser\|global(A)
+|        | shutdown | superuser\|global(A)
+|        | stopMaster | superuser\|global(A)
+|        | snapshot | superuser\|global(A)\|NS(A)\|Table(A)
+|        | listSnapshot | superuser\|global(A)\|SnapshotOwner
+|        | cloneSnapshot | superuser\|global(A)
+|        | restoreSnapshot | superuser\|global(A)\|SnapshotOwner & (NS(A)\|Table(A))
+|        | deleteSnapshot | superuser\|global(A)\|SnapshotOwner
+|        | createNamespace | superuser\|global(A)
+|        | deleteNamespace | superuser\|global(A)
+|        | modifyNamespace | superuser\|global(A)
+|        | getNamespaceDescriptor | superuser\|global(A)\|NS(A)
+|        | listNamespaceDescriptors* | superuser\|global(A)\|NS(A)
+|        | flushTable | superuser\|global(A)\|global\(C)\|NS(A)\|NS(\C)\|table(A)\|table\(C)
+|        | getTableDescriptors* | superuser\|global(A)\|global\(C)\|NS(A)\|NS\(C)\|table(A)\|table\(C)
+|        | getTableNames* | Any global or table perm
+|        | setUserQuota(global level) | superuser\|global(A)
+|        | setUserQuota(namespace level) | superuser\|global(A)
+|        | setUserQuota(Table level) | superuser\|global(A)\|NS(A)\|Table(A)
+|        | setTableQuota | superuser\|global(A)\|NS(A)\|Table(A)
+|        | setNamespaceQuota | superuser\|global(A)
+| Region | openRegion | superuser\|global(A)
+|        | closeRegion | superuser\|global(A)
+|        | flush | superuser\|global(A)\|global\(C)\|table(A)\|table\(C)
+|        | split | superuser\|global(A)\|Table(A)
+|        | compact | superuser\|global(A)\|global\(C)\|table(A)\|table\(C)
+|        | getClosestRowBefore | superuser\|global\(R)\|NS\(R)\|Table\(R)\|CF\(R)\|CQ\(R)
+|        | getOp | superuser\|global\(R)\|NS\(R)\|Table\(R)\|CF\(R)\|CQ\(R)
+|        | exists | superuser\|global\(R)\|NS\(R)\|Table\(R)\|CF\(R)\|CQ\(R)
+|        | put | superuser\|global(W)\|NS(W)\|Table(W)\|CF(W)\|CQ(W)
+|        | delete | superuser\|global(W)\|NS(W)\|Table(W)\|CF(W)\|CQ(W)
+|        | batchMutate | superuser\|global(W)\|NS(W)\|Table(W)\|CF(W)\|CQ(W)
+|        | checkAndPut | superuser\|global(RW)\|NS(RW)\|Table(RW)\|CF(RW)\|CQ(RW)
+|        | checkAndPutAfterRowLock | superuser\|global\(R)\|NS\(R)\|Table\(R)\|CF\(R)\|CQ\(R)
+|        | checkAndDelete   | superuser\|global(RW)\|NS(RW)\|Table(RW)\|CF(RW)\|CQ(RW)
+|        | checkAndDeleteAfterRowLock | superuser\|global\(R)\|NS\(R)\|Table\(R)\|CF\(R)\|CQ\(R)
+|        | incrementColumnValue | superuser\|global(W)\|NS(W)\|Table(W)\|CF(W)\|CQ(W)
+|        | append | superuser\|global(W)\|NS(W)\|Table(W)\|CF(W)\|CQ(W)
+|        | appendAfterRowLock | superuser\|global(W)\|NS(W)\|Table(W)\|CF(W)\|CQ(W)
+|        | increment | superuser\|global(W)\|NS(W)\|Table(W)\|CF(W)\|CQ(W)
+|        | incrementAfterRowLock | superuser\|global(W)\|NS(W)\|Table(W)\|CF(W)\|CQ(W)
+|        | scannerOpen | superuser\|global\(R)\|NS\(R)\|Table\(R)\|CF\(R)\|CQ\(R)
+|        | scannerNext | superuser\|global\(R)\|NS\(R)\|Table\(R)\|CF\(R)\|CQ\(R)
+|        | scannerClose | superuser\|global\(R)\|NS\(R)\|Table\(R)\|CF\(R)\|CQ\(R)
+|        | bulkLoadHFile | superuser\|global\(C)\|table\(C)\|CF\(C)
+|        | prepareBulkLoad | superuser\|global\(C)\|table\(C)\|CF\(C)
+|        | cleanupBulkLoad | superuser\|global\(C)\|table\(C)\|CF\(C)
+| Endpoint | invoke | superuser\|global(X)\|NS(X)\|Table(X)
+| AccessController | grant(global level) | global(A)
+|                  | grant(namespace level) | global(A)\|NS(A)
+|                  | grant(table level) | global(A)\|NS(A)\|table(A)\|CF(A)\|CQ(A)
+|                  | revoke(global level) | global(A)
+|                  | revoke(namespace level) | global(A)\|NS(A)
+|                  | revoke(table level) | global(A)\|NS(A)\|table(A)\|CF(A)\|CQ(A)
+|                  | getUserPermissions(global level) | global(A)
+|                  | getUserPermissions(namespace level) | global(A)\|NS(A)
+|                  | getUserPermissions(table level) | global(A)\|NS(A)\|table(A)\|CF(A)\|CQ(A)
+| RegionServer | stopRegionServer | superuser\|global(A)
+|              | mergeRegions | superuser\|global(A)
+|              | rollWALWriterRequest | superuser\|global(A)
+|              | replicateLogEntries | superuser\|global(W)
 |===
 
 :numbered:


Mime
View raw message