hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-10619) Don't allow non super users to do DDL ops on system tables
Date Thu, 09 Apr 2015 22:28:12 GMT

    [ https://issues.apache.org/jira/browse/HBASE-10619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14488404#comment-14488404
] 

Andrew Purtell commented on HBASE-10619:
----------------------------------------

-1 in current form. API is not good I think.

Do we need a new UserUtil? There's already User.

{noformat}
public static Pair<List<String>, List<String>> getSuperUsers(Configuration
conf)
{noformat}
Returning a pair of lists is weird. It's not like entries in one are directly related to another.
One is a list of users. One is a list of groups. getSuperUsers should return the list of user
principals. A new getSuperGroups should return the list of group principals. 

{noformat}
public static boolean isSuperUser(User user, List<String> superUsers, List<String>
superGroups)
{noformat}
This is kind of useless? You have to pass in the list of users and groups to check. Those
lists could be anything. How does this check if the User is actually a super user? 

Why not parse the superuser information out of Configuration and cache it in one place? In
User. Then have the AC and VC and other users call User methods rather than keep local copies
of these lists.


> Don't allow non super users to do DDL ops on system tables
> ----------------------------------------------------------
>
>                 Key: HBASE-10619
>                 URL: https://issues.apache.org/jira/browse/HBASE-10619
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Anoop Sam John
>            Assignee: Anoop Sam John
>         Attachments: HBASE-10619.patch, HBASE-10619_V2.patch, HBASE-10619_V3.patch, HBASE-10619_V4.patch,
HBASE-10619_V5.patch, HBASE-10619_V6.patch
>
>
> Don't allow non super users to do DDL ops on system tables
> For META and NS tables, we should allow them to be disabled even by super users.  With
out these tables online the cluster will be non operational.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message