Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 472BF18C24 for ; Sat, 22 Aug 2015 00:41:46 +0000 (UTC) Received: (qmail 30337 invoked by uid 500); 22 Aug 2015 00:41:46 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 30285 invoked by uid 500); 22 Aug 2015 00:41:46 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 30271 invoked by uid 99); 22 Aug 2015 00:41:46 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 22 Aug 2015 00:41:46 +0000 Date: Sat, 22 Aug 2015 00:41:46 +0000 (UTC) From: "Andrew Purtell (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-14265) we should forbid creating table using 'hbase' namespace except by superuser MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-14265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14707698#comment-14707698 ] Andrew Purtell commented on HBASE-14265: ---------------------------------------- bq. I reconsider this patch, and found this is not what i want. [...] we only forbid creating table using 'hbase' namespace when security disabled ok, that's fine In which case, the only change I'd recommend is reusing our existing AccessDeniedException instead of introducing a new exception type SystemNamespaceAccessException. This is because with security enabled the AccessController will throw ADE back to the clients. Would be weird for clients to need to deal potentially with two exception types whether or not security is active. > we should forbid creating table using 'hbase' namespace except by superuser > --------------------------------------------------------------------------- > > Key: HBASE-14265 > URL: https://issues.apache.org/jira/browse/HBASE-14265 > Project: HBase > Issue Type: Bug > Reporter: Heng Chen > Attachments: HBASE-14265.patch, HBASE-14265_v2.patch, HBASE-14265_v3.patch > > > Now, there is no limit for users who can create table under 'hbase' NameSpace. I think it has some risk. > Because we use {{TableName.systemTable}} to decide whether this table is System or not. > But as code, {{TableName.systemTable}} will be true, if NS equals "hbase' > {code} > if (Bytes.equals(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME, namespace)) { > this.namespace = NamespaceDescriptor.SYSTEM_NAMESPACE_NAME; > this.namespaceAsString = NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR; > this.systemTable = true; > } > {code} > > And we treat system table and normal table differently. > For example, https://issues.apache.org/jira/browse/HBASE-14257 will flush fast if table belong to system table. -- This message was sent by Atlassian JIRA (v6.3.4#6332)