hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-12536) Reduce the effective scope of GLOBAL CREATE and ADMIN permission
Date Wed, 19 Nov 2014 17:16:33 GMT

     [ https://issues.apache.org/jira/browse/HBASE-12536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Andrew Purtell updated HBASE-12536:
-----------------------------------
    Release Note: This change removes implicit write access to the META and ACL tables for
any user with GLOBAL CREATE or ADMIN privilege. Users with GLOBAL CREATE will not be able
to elevate their privileges unexpectedly through direct access to the ACL table. A GLOBAL
ADMIN will still correctly be allowed to grant themselves any desired privilege.  (was: This
change removes implicit write access to the META and ACL tables for any user with GLOBAL CREATE
or ADMIN privilege. Users with GLOBAL CREATE will not be able to elevate their privileges
unexpectedly through direct access to the ACL table. A GLOBAL ADMIN will be still correctly
be allowed to grant themselves any desired privilege.)

> Reduce the effective scope of GLOBAL CREATE and ADMIN permission
> ----------------------------------------------------------------
>
>                 Key: HBASE-12536
>                 URL: https://issues.apache.org/jira/browse/HBASE-12536
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>            Reporter: Andrew Purtell
>            Assignee: Andrew Purtell
>             Fix For: 2.0.0, 0.94.24, 0.98.8, 0.99.2
>
>         Attachments: HBASE-12536-0.94.patch, HBASE-12536-0.98.patch, HBASE-12536.patch
>
>
> The current implementation of the AccessController grants users with *GLOBAL* CREATE
or ADMIN privilege implicit write access to the META and ACL tables, so when a new table is
created new entries can be added to META and ACL appropriately in the pre and post handlers
with the credentials supplied in the RPC context. Although any user with GLOBAL CREATE or
ADMIN is already superuser-like in many respects, the implicit write privilege is an artifact
of implementation that should be changed. We can remove the implicit write access. After doing
so, users with GLOBAL CREATE will not be able to elevate their privileges unexpectedly through
direct access to the ACL table. A GLOBAL ADMIN will be still correctly be allowed to grant
themselves any desired privilege.
> This issue was discovered and raised by [~devaraj] on private@hbase as a potential security
issue and was included in the 0.94.24 and 0.98.8 releases prior to the filing of this JIRA.
> I've set the priority of this issue only at 'Major' since it only affects users with
GLOBAL CREATE or ADMIN privilege. GLOBAL ADMIN is already a superuser, and GLOBAL CREATE likewise
should already also be considered superuser-lite access and sparingly granted to trusted personnel.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message