Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E9F8710F17 for ; Fri, 5 Dec 2014 10:57:12 +0000 (UTC) Received: (qmail 67696 invoked by uid 500); 5 Dec 2014 10:57:12 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 67652 invoked by uid 500); 5 Dec 2014 10:57:12 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 67641 invoked by uid 99); 5 Dec 2014 10:57:12 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Dec 2014 10:57:12 +0000 Date: Fri, 5 Dec 2014 10:57:12 +0000 (UTC) From: "Ashish Singhi (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HBASE-12348) preModifyColumn and preDeleteColumn in AC denies user to perform its operation though it has required rights MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-12348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ashish Singhi updated HBASE-12348: ---------------------------------- Description: A user with ADMIN and CREATE rights {{only on the column family}} is denied from performing DeleteColumn and ModifyColumn operations on the table. also Family name can be added in audit log for addColumn {noformat} alter 't', 'd2' 2014-10-27 20:44:45,635 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user ashish; reason: Table permission granted; remote address: /10.18.40.106; request: addColumn; context: (user=ashish, scope=t, family=, action=ADMIN) {noformat} was: Family name can be added in audit log for addColumn, deleteColumn and modifyColumn operations similar to createTable operation. {noformat} create 't', 'd' 2014-10-27 20:41:54,303 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user ashish; reason: Global check allowed; remote address: /10.18.40.106; request: createTable; context: (user=ashish, scope=t, family=d, action=CREATE) alter 't', NAME => 'd', VERSIONS => 5 2014-10-27 20:42:54,771 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user ashish; reason: Table permission granted; remote address: /10.18.40.106; request: modifyColumn; context: (user=ashish, scope=t, family=, action=ADMIN) alter 't', 'd2' 2014-10-27 20:44:45,635 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user ashish; reason: Table permission granted; remote address: /10.18.40.106; request: addColumn; context: (user=ashish, scope=t, family=, action=ADMIN) alter 't', NAME => 'd2', METHOD => 'delete' 2014-10-27 20:45:25,681 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user ashish; reason: Table permission granted; remote address: /10.18.40.106; request: deleteColumn; context: (user=ashish, scope=t, family=, action=ADMIN) {noformat} Priority: Major (was: Minor) Fix Version/s: 0.98.9 2.0.0 1.0.0 Issue Type: Bug (was: Improvement) Summary: preModifyColumn and preDeleteColumn in AC denies user to perform its operation though it has required rights (was: Add family name in audit log for addColumn, deleteColumn and modifyColumn operations) > preModifyColumn and preDeleteColumn in AC denies user to perform its operation though it has required rights > ------------------------------------------------------------------------------------------------------------ > > Key: HBASE-12348 > URL: https://issues.apache.org/jira/browse/HBASE-12348 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 0.98.5 > Reporter: Ashish Singhi > Assignee: Ashish Singhi > Fix For: 1.0.0, 2.0.0, 0.98.9 > > Attachments: HBASE-12348.patch > > > A user with ADMIN and CREATE rights {{only on the column family}} is denied from performing DeleteColumn and ModifyColumn operations on the table. > also > Family name can be added in audit log for addColumn > {noformat} > alter 't', 'd2' > 2014-10-27 20:44:45,635 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user ashish; reason: Table permission granted; remote address: /10.18.40.106; request: addColumn; context: (user=ashish, scope=t, family=, action=ADMIN) > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)