Return-Path: 
 <dev-return-56750-apmail-hbase-dev-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-dev-archive@www.apache.org
Delivered-To: apmail-hbase-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A74A01890C
	for <apmail-hbase-dev-archive@www.apache.org>;
 Sat, 19 Mar 2016 01:56:34 +0000 (UTC)
Received: (qmail 94190 invoked by uid 500); 19 Mar 2016 01:56:33 -0000
Delivered-To: apmail-hbase-dev-archive@hbase.apache.org
Received: (qmail 94098 invoked by uid 500); 19 Mar 2016 01:56:33 -0000
Mailing-List: contact dev-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@hbase.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@hbase.apache.org>
List-Post: <mailto:dev@hbase.apache.org>
List-Id: <dev.hbase.apache.org>
Reply-To: dev@hbase.apache.org
Delivered-To: mailing list dev@hbase.apache.org
Received: (qmail 94068 invoked by uid 99); 19 Mar 2016 01:56:33 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Mar 2016 01:56:33 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 73BAF2C1F58
	for <dev@hbase.apache.org>; Sat, 19 Mar 2016 01:56:33 +0000 (UTC)
Date: Sat, 19 Mar 2016 01:56:33 +0000 (UTC)
From: "Andrew Purtell (JIRA)" <jira@apache.org>
To: dev@hbase.apache.org
Message-ID: <JIRA.12951480.1458294313000.66027.1458352593471@Atlassian.JIRA>
In-Reply-To: <JIRA.12951480.1458294313000@Atlassian.JIRA>
References: <JIRA.12951480.1458294313000@Atlassian.JIRA>
 <JIRA.12951480.1458294313475@arcas>
Subject: [jira] [Resolved] (HBASE-15483) After disabling Authorization, user
 should not be allowed to modify ACL record
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/HBASE-15483?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Purtell resolved HBASE-15483.
------------------------------------
    Resolution: Not A Bug

This is expected behavior and was described in the release notes when this setting was introduced.

> After disabling Authorization, user should not be allowed to modify ACL record 
> -------------------------------------------------------------------------------
>
>                 Key: HBASE-15483
>                 URL: https://issues.apache.org/jira/browse/HBASE-15483
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>            Reporter: meiwen li
>
> After setting hbase.security.authorization to be false, hbase does NOT do authority check for any operations by any users. Thus, any user, including read only user, has the authority to grant <user> <any permission>. The change to ACL record is lasted and will take effective after next authorization enabling. 
> The conseqence is,
> A readonly user can change an admin user to be a "readonly" user after a round of "disable authorization" and "enable authorization"
> Also,
> A readonly user can change a "readonly" user to be an Admin after such a round of disable/enable.
> It is expected that 
> after authorization is disabled, the authorization related file, the ACL record, should not be open to users and not be changed. Otherwise, after the authorization next enablement, the changed ACL takes action and users get unexpected authority.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)