hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Francis Liu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-8409) Security support for namespaces
Date Tue, 13 Aug 2013 16:11:49 GMT

    [ https://issues.apache.org/jira/browse/HBASE-8409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13738412#comment-13738412

Francis Liu commented on HBASE-8409:

Are you fellas still debating Andrew Purtell and Francis Liu? Sounds like you are both saying
improvement is for another issue and this patch can go in as is?
I think debate is done. We'll address namespace security enhancements in a separate patch.

What about this work Francis: " The work related to migration of the existing acl table to
the new namespace is remaining and will be completed in the follow up patch. " ? That is included
in this patch right if I read the above properly?
Yep, it's included in NamespaceUpgrade. I Updated tgz file to include acl table.

The description on this issue is really good. Can it become the release note. Does this patch
implement what the issue description outlines or were there compromises or adjustment? Can
the release also explain that there is precedent for the '@' symbol else it looks like it
came from left field.
We agreed on the functionality but not to which privilege they map to. Sounds like we will
need more privileges hence removing that functionality in the patch for now. Only permission
check is CRUD of namespace which will require global admin. I can update the release notes
for that. BTW where is the release note?

> Security support for namespaces
> -------------------------------
>                 Key: HBASE-8409
>                 URL: https://issues.apache.org/jira/browse/HBASE-8409
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Francis Liu
>            Assignee: Vandana Ayyalasomayajula
>            Priority: Blocker
>             Fix For: 0.98.0, 0.95.2
>         Attachments: HBASE-8049_trunk.patch, HBASE-8409_2.patch, HBASE-8409_3.patch,
> This task adds the security piece to the namespace feature. The work related to migration
of the existing acl table to the new namespace is remaining and will be completed in the follow
up patch. Permissions can be granted to a namespace by the hbase admin, by appending '@' to
the namespace name. A user with write or admin permissions on a given namespace can create
tables in that namespace. The other privileges (R, X, C ) do not have any special meaning
w.r.t namespaces.  Any users of hbase can list tables in a namespace.
> The following commands can only be executed by HBase admins.
> 1. Grant privileges for user on Namespace.
> 2. Revoke privileges for user on Namespace
> Grant Command:
> hbase> grant 'tenant-A' 'W' '@N1'
>  In the above example, the command will grant the user 'tenant-A' write privileges for
a namespace named "N1".
> Revoke Command:
> hbase> revoke 'tenant-A''@N1'
>  In the above example, the command will revoke  all privileges from user 'tenant-A' for
namespace named "N1".
> Lets see an example on how privileges work with namespaces.
> User "Mike" request for a namespace named "hbase_perf" with the hbase admin.
>       whoami: hbase
>       hbase shell >> namespace_create 'hbase_perf'
>       hbase shell >> grant 'mike', 'W', '@hbase_perf'
> Mike creates two tables "table20" and "table50" in the above workspace.
>       whoami: mike
>       hbase shell >> create 'hbase_perf.table20', 'family1'
>       hbase shell >> create 'hbase_perf.table50', 'family1'
>       Note: As Mike was able to create tables 'hbase_perf.table20', 'hbase_perf.table50',
he becomes the owner of those tables. 
>       This means he has "RWXCA" perms on those tables.
> Another team member of Mike, Alice wants also to share the same workspace "hbase_perf".
HBase admin grants Alice also permission to create tables in "hbase_perf" namespace.
>       whoami: hbase
>       hbase shell >> grant 'alice', 'W', '@hbase_perf'
> Now Alice can create new tables under "hbase_perf" namespace, but cannot read,write,alter,delete
existing tables in the namespace.
>       whoami: alice
>       hbase shell >> namespace_list_tables 'hbase_perf'
>                      hbase_perf.table20
>                      hbase_perf.table50
>       hbase shell >> scan 'hbase_perf.table20'
>                      AccessDeniedException  
> If Alice wants to read or write to existing tables in the "hbase_perf" namespace, hbase
admins need to explicitly grant permission.
>       whoami: hbase
>       hbase shell >> grant 'alice', 'RW', 'hbase_perf.table20'
>       hbase shell >> grant 'alice', 'RW', 'hbase_perf.table50'

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message