hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "stack (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-8692) [AccessController] Restrict HTableDescriptor enumeration
Date Thu, 27 Jun 2013 17:05:20 GMT

    [ https://issues.apache.org/jira/browse/HBASE-8692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13694869#comment-13694869

stack commented on HBASE-8692:

This looks to have broke TestAccessController.  See$hbase-server/508/testReport/org.apache.hadoop.hbase.security.access/TestAccessController/testBulkLoad/

I added debug to the exception:

Expected action to pass for user 'rwuser' but was denied: org.apache.hadoop.hbase.exceptions.AccessDeniedException:
org.apache.hadoop.hbase.exceptions.AccessDeniedException: Insufficient permissions (user=rwuser,
scope=testBulkLoad, family=, action=CREATE)  at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:351)
 at org.apache.hadoop.hbase.security.access.AccessController.preGetTableDescriptors(AccessController.java:1391)
 at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preGetTableDescriptors(MasterCoprocessorHost.java:1125)
 at org.apache.hadoop.hbase.master.HMaster.getTableDescriptors(HMaster.java:2418)  at org.apache.hadoop.hbase.protobuf.generated.MasterMonitorProtos$MasterMonitorService$2.callBlockingMethod(MasterMonitorProtos.java:2702)
 at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2122)  at org.apache.hadoop.hbase.ipc.RpcServer$Handler.run(RpcServer.java:1829)

The rwuser does not have the now required CREATE permission.

The testBulkLoad has been failing solidly for a while now.  I'll disable it for the moment
till this addressed over in HBASE-8799
> [AccessController] Restrict HTableDescriptor enumeration
> --------------------------------------------------------
>                 Key: HBASE-8692
>                 URL: https://issues.apache.org/jira/browse/HBASE-8692
>             Project: HBase
>          Issue Type: Improvement
>          Components: Coprocessors, security
>    Affects Versions: 0.98.0, 0.95.1, 0.94.9
>            Reporter: Andrew Purtell
>            Assignee: Andrew Purtell
>             Fix For: 0.98.0, 0.95.2, 0.94.9
>         Attachments: 8692-0.94.patch, 8692-0.94.patch, 8692-0.94.patch, 8692-0.94.patch,
8692.patch, 8692.patch, 8692.patch, 8692.patch
> Some users are concerned about having table schema exposed to every user and would like
it protected, similar to the rest of the admin operations for schema. 
> This used to be hopeless because META would leak HTableDescriptors in HRegionInfo, but
that is no longer the case in 0.94+.
> Consider adding CP hooks in the master for intercepting HMasterInterface#getHTableDescriptors
and HMasterInterface#getHTableDescriptors(List<String>).  Add support in the AccessController
for only allowing GLOBAL ADMIN to the first method. Add support in the AccessController for
allowing access to the descriptors for the table names in the list of the second method only
if the user has TABLE ADMIN privilege for all of the listed table names.
> Then, fix the code in HBaseAdmin (and elsewhere) that expects to be able to enumerate
all table descriptors e.g. in deleteTable. A TABLE ADMIN can delete a table but won’t have
GLOBAL ADMIN privilege to enumerate the total list. So a minor fixup is needed here, and in
other places like this which make the same assumption.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message