hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ashish Singhi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14809) Namespace permission granted to group
Date Sat, 14 Nov 2015 06:29:11 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15005199#comment-15005199

Ashish Singhi commented on HBASE-14809:

1. Can we add the test in {{TestNamespaceCommands}} as we already have some grant and revoke
operation test their on namespace and will be able to assert on global admin also.
2. Also suggest to verify for users denied to perform this action.

> Namespace permission granted to group 
> --------------------------------------
>                 Key: HBASE-14809
>                 URL: https://issues.apache.org/jira/browse/HBASE-14809
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.2
>            Reporter: Steven Hancz
>         Attachments: 14809-v1.txt, 14809-v2.txt
> Hi, 
> We are looking to roll out HBase and are in the process to design the security model.

> We are looking to implement global DBAs and Namespace specific administrators. 
> So for example the global dba would create a namespace and grant a user/group admin privileges
within that ns. 
> So that a given ns admin can in turn create objects and grant permission within the given
ns only. 
> We have run into some issues at the ns admin level. It appears that a ns admin can NOT
grant to a grop unless it also has global admin privilege. But once it has global admin privilege
it can grant in any NS not just the one where it has admin privileges. 
> Based on the HBase documentation at http://hbase.apache.org/book.html#appendix_acl_matrix

> Table 13. ACL Matrix 
> Interface	Operation	Permissions 
> AccessController grant(global level) global(A) 
> grant(namespace level) global(A)|NS(A) 
> grant at a namespace level should be possible for someone with global A OR (|) NS A permission.

> As you will see in our test it does not work if NS A permission is granted but global
A permission is not. 
> Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1. 
> hbase(main):011:0> scan 'hbase:acl' 
> @ns1 column=l:@hbaseappltest_ns1admin, timestamp=1446676679787, value=XCA 
> However: 
> Here you can see that a user who is member of the group hbaseappltest_ns1admin can not
grant a WRX privilege to a group as it is missing global A privilege. 
> $hbase shell 
> 15/11/13 10:02:23 INFO Configuration.deprecation: hadoop.native.lib is deprecated. Instead,
use io.native.lib.available 
> HBase Shell; enter 'help<RETURN>' for list of supported commands. 
> Type "exit<RETURN>" to leave the HBase Shell 
> Version 1.0.0-cdh5.4.7, rUnknown, Thu Sep 17 02:25:03 PDT 2015 
> hbase(main):001:0> whoami 
> ns1admin@WLAB.NET (auth:KERBEROS) 
> groups: hbaseappltest_ns1admin 
> hbase(main):002:0> grant '@hbaseappltest_ns1funct' ,'RWX','@ns1' 
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions
for user 'ns1admin' (global, action=ADMIN) 
> The way I read the documentation a NS admin should be able to grant as it has ns level
A privilege not only object level permission.
> CDH is a version 5.4.7 and Hbase is version 1.0. 
> Regards, 
> Steven

This message was sent by Atlassian JIRA

View raw message