Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 172B711C09 for ; Wed, 25 Jun 2014 22:48:25 +0000 (UTC) Received: (qmail 86436 invoked by uid 500); 25 Jun 2014 22:48:24 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 86383 invoked by uid 500); 25 Jun 2014 22:48:24 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 86214 invoked by uid 99); 25 Jun 2014 22:48:24 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Jun 2014 22:48:24 +0000 Date: Wed, 25 Jun 2014 22:48:24 +0000 (UTC) From: "Andrew Purtell (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-11411) [AccessController] Cell level permissions were not checked when using CELL_FIRST_STRATEGY MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-11411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14044150#comment-14044150 ] Andrew Purtell commented on HBASE-11411: ---------------------------------------- I would also not be opposed to just removing CHECK_CELL_FIRST strategy all together, because HBASE-11070 essentially disables it by default on trunk. I don't think we have any active use cases for it. > [AccessController] Cell level permissions were not checked when using CELL_FIRST_STRATEGY > ----------------------------------------------------------------------------------------- > > Key: HBASE-11411 > URL: https://issues.apache.org/jira/browse/HBASE-11411 > Project: HBase > Issue Type: Bug > Affects Versions: 0.98.3 > Reporter: ramkrishna.s.vasudevan > Assignee: ramkrishna.s.vasudevan > Fix For: 0.99.0, 0.98.4 > > Attachments: HBASE-11411.patch > > > In doing read operations with ACL we were checking there is read permission granted on the table > {code} > AuthResult authResult = permissionGranted(opType, user, env, families, Action.READ); > HRegion region = getRegion(env); > TableName table = getTableName(region); > Map cfVsMaxVersions = Maps.newHashMap(); > for (HColumnDescriptor hcd : region.getTableDesc().getFamilies()) { > cfVsMaxVersions.put(new SimpleByteRange(hcd.getName()), hcd.getMaxVersions()); > } > {code} > If there is no permission then we were checking for the type of cell level permission > {code} > case CHECK_CELL_DEFAULT: { > if (authManager.authorize(user, table, family, qualifier, Permission.Action.READ) || > authManager.authorize(user, table, cell, Permission.Action.READ)) { > return ReturnCode.INCLUDE; > } > } > break; > // Cell permissions must authorize > case CHECK_CELL_FIRST: { > if (authManager.authorize(user, table, cell, Permission.Action.READ) && > authManager.authorize(user, table, family, qualifier, Permission.Action.READ)) { > return ReturnCode.INCLUDE; > } > {code} > For CELL_FIRST_STRATEGY > -> if the user had granted READ permission on the table itself then even if cell level was not granting access we were able to read the cell. > ->If table level READ permission was not there then the && condition was failing from reading any cell even with READ permission. > The 2nd one was an intended behaviour but for the first one I think we should see if really the cell was readable too. -- This message was sent by Atlassian JIRA (v6.2#6252)