hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Huaiyu Zhu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-12511) namespace permissions - add support from table creation privilege in a namespace 'C'
Date Mon, 08 Dec 2014 18:47:14 GMT

    [ https://issues.apache.org/jira/browse/HBASE-12511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14238233#comment-14238233
] 

Huaiyu Zhu commented on HBASE-12511:
------------------------------------

{quote}This one requireGlobalPermission(String request, Action perm, String namespace){quote}
This method checks global permission only. It is used to grant/revoke/modifyNS. We still need
a new requirePermission for NS+global checks.

{quote}Agreed with deleteTable, and possibly others (modify table) etc which should be fixed
together with createTable.{quote}
There is no need to fix them. When requirePermission("deleteTable", tableName, null, null,
Action.ADMIN, Action.CREATE) is called in preDeleteTable/preModifyTable, it does not only
check table permission but also checks NS and global ones. This behavior is implemented in
different versions of authManager.authorize methods.

But create table is different, because before we create the table, the table permission does
not even exist. We need a requirePermission for namespace+global checks. This is the missing
function I added in the patch.

{quote}it relies on exception catching for the regular code path, which is quite costly. The
exception should not be raised in the global check. If at the end of global + NS check it
fails, only then the exception should be thrown.{quote}
Agree, raise an additional exception is unnecessary. Since requirePermission checks both global
and ns, I just removed the globalRequirePermission.

> namespace permissions - add support from table creation privilege in a namespace 'C'
> ------------------------------------------------------------------------------------
>
>                 Key: HBASE-12511
>                 URL: https://issues.apache.org/jira/browse/HBASE-12511
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Francis Liu
>            Assignee: Huaiyu Zhu
>         Attachments: HBASE-12511.patch, HBASE-12511.patch
>
>
> As discussed in namespace permission Jira. A user granted a 'C' on a namespace enables
a user to create tables within the namespace. 'C' on a namespace does not enable a user to
create/drop the namespace.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message