hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-12564) consolidate the getTableDescriptors() semantic
Date Thu, 04 Dec 2014 19:27:12 GMT

    [ https://issues.apache.org/jira/browse/HBASE-12564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14234516#comment-14234516
] 

Andrew Purtell commented on HBASE-12564:
----------------------------------------

Anyway I looked at the v2 patch and it seems to do the right thing, we won't return descriptors
unless the user has ADMIN or CREATE permissions in dominant scope. In postGetTableNames we
will return table _names_ if the user has any of the Action bits in dominant scope, but that
doesn't seem to be a problem, it follows that a user with any access to a table must know
its name to make use of it.

> consolidate the getTableDescriptors() semantic
> ----------------------------------------------
>
>                 Key: HBASE-12564
>                 URL: https://issues.apache.org/jira/browse/HBASE-12564
>             Project: HBase
>          Issue Type: Bug
>          Components: Client, master
>    Affects Versions: 2.0.0
>            Reporter: Matteo Bertozzi
>            Assignee: Matteo Bertozzi
>            Priority: Minor
>             Fix For: 2.0.0
>
>         Attachments: HBASE-12564-v0.patch, HBASE-12564-v1.patch, HBASE-12564-v2.patch
>
>
> Master getTableDescriptors() which is called by Admin.listTables() has a couple of different
behaviors depending on how it is called. 
> after HBASE-12073 with the AccessController enabled, we now get a "global admin" required
if listTables() is called without a regex otherwise we return only the table that the user
can see (we show only the tables that the user have access to, which means or the user is
a global admin or it has a table-level create/admin). We probably should have the second behavior
even without regex, since I should able to see "my own tables". 
> getTableDescriptors() is returning only non system tables. Tools like user_permission
that are doing "for each listTable(): userPerm(table)" are losing the system tables, so stuff
like user_permission 'hbase:acls' will not result any result.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message