Return-Path: 
 <issues-return-208476-apmail-hbase-issues-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-issues-archive@www.apache.org
Delivered-To: apmail-hbase-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 35B01180B5
	for <apmail-hbase-issues-archive@www.apache.org>;
 Fri, 21 Aug 2015 06:14:46 +0000 (UTC)
Received: (qmail 1486 invoked by uid 500); 21 Aug 2015 06:14:46 -0000
Delivered-To: apmail-hbase-issues-archive@hbase.apache.org
Received: (qmail 1446 invoked by uid 500); 21 Aug 2015 06:14:46 -0000
Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@hbase.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@hbase.apache.org>
List-Post: <mailto:issues@hbase.apache.org>
List-Id: <issues.hbase.apache.org>
Delivered-To: mailing list issues@hbase.apache.org
Received: (qmail 1432 invoked by uid 99); 21 Aug 2015 06:14:45 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Aug 2015 06:14:45 +0000
Date: Fri, 21 Aug 2015 06:14:45 +0000 (UTC)
From: "Heng Chen (JIRA)" <jira@apache.org>
To: issues@hbase.apache.org
Message-ID: <JIRA.12857417.1440045201000.127457.1440137685922@Atlassian.JIRA>
In-Reply-To: <JIRA.12857417.1440045201000@Atlassian.JIRA>
References: <JIRA.12857417.1440045201000@Atlassian.JIRA>
 <JIRA.12857417.1440045201241@arcas>
Subject: [jira] [Updated] (HBASE-14265) we should forbid creating table
 using 'hbase' namespace except by superuser
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/HBASE-14265?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Heng Chen updated HBASE-14265:
------------------------------
    Attachment: HBASE-14265_v2.patch

{quote}
Have you tried this patch with security features active? Does this prevent the creation of the ACL and labels tables? If so this can be fixed by conditionally allowing the create if the effective user is a superuser, see Superusers#isSuperUser
{quote}

I see...  You are right.  I update patch as your suggestions!  Thanks for your review! [~apurtell]

> we should forbid creating table using 'hbase' namespace except by superuser
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-14265
>                 URL: https://issues.apache.org/jira/browse/HBASE-14265
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Heng Chen
>         Attachments: HBASE-14265.patch, HBASE-14265_v2.patch
>
>
> Now, there is no limit for users who can create table under 'hbase' NameSpace. I think it has some risk.
> Because we use {{TableName.systemTable}} to decide whether this table is System or not.
> But as code,  {{TableName.systemTable}} will be true, if NS equals "hbase'
> {code}
>  if (Bytes.equals(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME, namespace)) {
>         this.namespace = NamespaceDescriptor.SYSTEM_NAMESPACE_NAME;
>         this.namespaceAsString = NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR;
>         this.systemTable = true;
>       } 
> {code}
>  
> And we treat system table and normal table differently. 
> For example,  https://issues.apache.org/jira/browse/HBASE-14257 will flush fast if table belong to system table.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)