Return-Path: 
 <issues-return-101999-apmail-hbase-issues-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-issues-archive@www.apache.org
Delivered-To: apmail-hbase-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id D9EDDC3DD
	for <apmail-hbase-issues-archive@www.apache.org>;
 Fri, 21 Jun 2013 00:43:20 +0000 (UTC)
Received: (qmail 86712 invoked by uid 500); 21 Jun 2013 00:43:20 -0000
Delivered-To: apmail-hbase-issues-archive@hbase.apache.org
Received: (qmail 86678 invoked by uid 500); 21 Jun 2013 00:43:20 -0000
Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@hbase.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@hbase.apache.org>
List-Post: <mailto:issues@hbase.apache.org>
List-Id: <issues.hbase.apache.org>
Delivered-To: mailing list issues@hbase.apache.org
Received: (qmail 86670 invoked by uid 99); 21 Jun 2013 00:43:20 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Jun 2013 00:43:20 +0000
Date: Fri, 21 Jun 2013 00:43:20 +0000 (UTC)
From: "Vandana Ayyalasomayajula (JIRA)" <jira@apache.org>
To: issues@hbase.apache.org
Message-ID: <JIRA.12644238.1366759094695.152535.1371775400162@arcas>
In-Reply-To: <JIRA.12644238.1366759094695@arcas>
References: <JIRA.12644238.1366759094695@arcas>
Subject: [jira] [Updated] (HBASE-8409) Security support for namespaces
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/HBASE-8409?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vandana Ayyalasomayajula updated HBASE-8409:
--------------------------------------------

    Description: 
This task adds the security piece to the namespace feature. The work related to migration of the existing acl table to the new namespace is remaining and will be completed in the follow up patch. Permissions can be granted to a namespace by the hbase admin, by appending '@' to the namespace name. A user with write or admin permissions on a given namespace can create tables in that namespace. The other privileges (R, X, C ) do not have any special meaning w.r.t namespaces.  Any users of hbase can list tables in a namespace.
 
The following commands can only be executed by HBase admins.
1. Grant privileges for user on Namespace.
2. Revoke privileges for user on Namespace


Grant Command:
hbase> grant 'tenant-A' 'W' '@N1'
 In the above example, the command will grant the user 'tenant-A' write privileges for a namespace named "N1".

Revoke Command:

hbase> revoke 'tenant-A''@N1'
 In the above example, the command will revoke  all privileges from user 'tenant-A' for namespace named "N1".

Lets see an example on how privileges work with namespaces.
 

User "Mike" request for a namespace named "hbase_perf" with the hbase admin.
      whoami: hbase
      hbase shell >> namespace_create 'hbase_perf'
      hbase shell >> grant 'mike', 'W', '@hbase_perf'
Mike creates two tables "table20" and "table50" in the above workspace.
      whoami: mike
      hbase shell >> create 'hbase_perf.table20', 'family1'
      hbase shell >> create 'hbase_perf.table50', 'family1'

      Note: As Mike was able to create tables 'hbase_perf.table20', 'hbase_perf.table50', he becomes the owner of those tables. 
      This means he has "RWXCA" perms on those tables.
Another team member of Mike, Alice wants also to share the same workspace "hbase_perf". HBase admin grants Alice also permission to create tables in "hbase_perf" namespace.
      whoami: hbase
      hbase shell >> grant 'alice', 'W', '@hbase_perf'
Now Alice can create new tables under "hbase_perf" namespace, but cannot read,write,alter,delete existing tables in the namespace.
 

      whoami: alice
      hbase shell >> namespace_list_tables 'hbase_perf'
                     hbase_perf.table20
                     hbase_perf.table50
      hbase shell >> scan 'hbase_perf.table20'
                     AccessDeniedException  
 

If Alice wants to read or write to existing tables in the "hbase_perf" namespace, hbase admins need to explicitly grant permission.
 

      whoami: hbase
      hbase shell >> grant 'alice', 'RW', 'hbase_perf.table20'
      hbase shell >> grant 'alice', 'RW', 'hbase_perf.table50'
    
> Security support for namespaces
> -------------------------------
>
>                 Key: HBASE-8409
>                 URL: https://issues.apache.org/jira/browse/HBASE-8409
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Francis Liu
>            Assignee: Vandana Ayyalasomayajula
>
> This task adds the security piece to the namespace feature. The work related to migration of the existing acl table to the new namespace is remaining and will be completed in the follow up patch. Permissions can be granted to a namespace by the hbase admin, by appending '@' to the namespace name. A user with write or admin permissions on a given namespace can create tables in that namespace. The other privileges (R, X, C ) do not have any special meaning w.r.t namespaces.  Any users of hbase can list tables in a namespace.
>  
> The following commands can only be executed by HBase admins.
> 1. Grant privileges for user on Namespace.
> 2. Revoke privileges for user on Namespace
> Grant Command:
> hbase> grant 'tenant-A' 'W' '@N1'
>  In the above example, the command will grant the user 'tenant-A' write privileges for a namespace named "N1".
> Revoke Command:
> hbase> revoke 'tenant-A''@N1'
>  In the above example, the command will revoke  all privileges from user 'tenant-A' for namespace named "N1".
> Lets see an example on how privileges work with namespaces.
>  
> User "Mike" request for a namespace named "hbase_perf" with the hbase admin.
>       whoami: hbase
>       hbase shell >> namespace_create 'hbase_perf'
>       hbase shell >> grant 'mike', 'W', '@hbase_perf'
> Mike creates two tables "table20" and "table50" in the above workspace.
>       whoami: mike
>       hbase shell >> create 'hbase_perf.table20', 'family1'
>       hbase shell >> create 'hbase_perf.table50', 'family1'
>       Note: As Mike was able to create tables 'hbase_perf.table20', 'hbase_perf.table50', he becomes the owner of those tables. 
>       This means he has "RWXCA" perms on those tables.
> Another team member of Mike, Alice wants also to share the same workspace "hbase_perf". HBase admin grants Alice also permission to create tables in "hbase_perf" namespace.
>       whoami: hbase
>       hbase shell >> grant 'alice', 'W', '@hbase_perf'
> Now Alice can create new tables under "hbase_perf" namespace, but cannot read,write,alter,delete existing tables in the namespace.
>  
>       whoami: alice
>       hbase shell >> namespace_list_tables 'hbase_perf'
>                      hbase_perf.table20
>                      hbase_perf.table50
>       hbase shell >> scan 'hbase_perf.table20'
>                      AccessDeniedException  
>  
> If Alice wants to read or write to existing tables in the "hbase_perf" namespace, hbase admins need to explicitly grant permission.
>  
>       whoami: hbase
>       hbase shell >> grant 'alice', 'RW', 'hbase_perf.table20'
>       hbase shell >> grant 'alice', 'RW', 'hbase_perf.table50'

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira