Return-Path: 
 <issues-return-149337-apmail-hbase-issues-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-issues-archive@www.apache.org
Delivered-To: apmail-hbase-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2BED311FA0
	for <apmail-hbase-issues-archive@www.apache.org>;
 Tue, 10 Jun 2014 13:45:05 +0000 (UTC)
Received: (qmail 64420 invoked by uid 500); 10 Jun 2014 13:45:04 -0000
Delivered-To: apmail-hbase-issues-archive@hbase.apache.org
Received: (qmail 63883 invoked by uid 500); 10 Jun 2014 13:45:04 -0000
Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@hbase.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@hbase.apache.org>
List-Post: <mailto:issues@hbase.apache.org>
List-Id: <issues.hbase.apache.org>
Delivered-To: mailing list issues@hbase.apache.org
Received: (qmail 63716 invoked by uid 99); 10 Jun 2014 13:45:04 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Jun 2014 13:45:04 +0000
Date: Tue, 10 Jun 2014 13:45:04 +0000 (UTC)
From: "Liu Shaohui (JIRA)" <jira@apache.org>
To: issues@hbase.apache.org
Message-ID: <JIRA.12718622.1401973352049.101340.1402407904322@arcas>
In-Reply-To: <JIRA.12718622.1401973352049@arcas>
References: <JIRA.12718622.1401973352049@arcas>
Subject: [jira] [Commented] (HBASE-11300) Wrong permission check for
 checkAndPut in AccessController
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/HBASE-11300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14026444#comment-14026444 ] 

Liu Shaohui commented on HBASE-11300:
-------------------------------------

Sorry for ignoring HBASE-11117.
Write permissions are checked in later prePut/Delete hook with Put/Delete mutation.

> Wrong permission check for checkAndPut in AccessController
> ----------------------------------------------------------
>
>                 Key: HBASE-11300
>                 URL: https://issues.apache.org/jira/browse/HBASE-11300
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.99.0
>            Reporter: Liu Shaohui
>            Assignee: Liu Shaohui
>            Priority: Minor
>
> For the checkAndPut operation, the AccessController only checks the read and write permission for the family and qualifier to check, but ignores the write permission for the family map of "put". What's more,  we don't need the write permission for the family and qualifier to check.
> See the code AccessController.java #1538
> {code}
>     Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
>     User user = getActiveUser();
>     AuthResult authResult = permissionGranted(OpType.CHECK_AND_PUT, user, env, families,
>       Action.READ, Action.WRITE);
> {code}
> Same problem for checkAndDelete operation.



--
This message was sent by Atlassian JIRA
(v6.2#6252)