hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enis Soztutar (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-5352) ACL improvements
Date Wed, 08 Feb 2012 01:44:59 GMT
ACL improvements

                 Key: HBASE-5352
                 URL: https://issues.apache.org/jira/browse/HBASE-5352
             Project: HBase
          Issue Type: Improvement
          Components: security
    Affects Versions: 0.94.0, 0.92.1
            Reporter: Enis Soztutar
            Assignee: Enis Soztutar

In this issue I would like to open discussion for a few minor ACL related improvements. The
proposed changes are as follows: 

1. Introduce something like AccessControllerProtocol.checkPermissions(Permission[] permissions)
API, so that clients can check access rights before carrying out the operations. We need this
kind of operation for HCATALOG-245, which introduces authorization providers for hbase over
hcat. We cannot use getUserPermissions() since it requires ADMIN permissions on the global/table
2. getUserPermissions(tableName)/grant/revoke and drop/modify table operations should not
check for global CREATE/ADMIN rights, but table CREATE/ADMIN rights. The reasoning is that
if a user is able to admin or read from a table, she should be able to read the table's permissions.
We can choose whether we want only READ or ADMIN permissions for getUserPermission(). Since
we check for global permissions first for table permissions, configuring table access using
global permissions will continue to work.  
3. Grant/Revoke global permissions - HBASE-5342 (included for completeness)

>From all 3, we may want to backport the first one to 0.92 since without it, Hive/Hcatalog
cannot use Hbase's authorization mechanism effectively. 

I will create subissues and convert HBASE-5342 to a subtask when we get some feedback, and
opinions for going further. 

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message