hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14809) Grant / revoke Namespace admin permission to group
Date Tue, 17 Nov 2015 00:04:11 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15007669#comment-15007669
] 

Hudson commented on HBASE-14809:
--------------------------------

FAILURE: Integrated in HBase-1.1-JDK7 #1596 (See [https://builds.apache.org/job/HBase-1.1-JDK7/1596/])
HBASE-14809 Grant / revoke Namespace admin permission to group (tedyu: rev 93b11cef45b1e20a1d23f4f953477d154979271e)
* hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java


> Grant / revoke Namespace admin permission to group 
> ---------------------------------------------------
>
>                 Key: HBASE-14809
>                 URL: https://issues.apache.org/jira/browse/HBASE-14809
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.2
>            Reporter: Steven Hancz
>            Assignee: Ted Yu
>             Fix For: 2.0.0, 1.2.0, 1.3.0, 1.1.4
>
>         Attachments: 14809-v1.txt, 14809-v2.txt, 14809-v3.txt, 14809-v3.txt, 14809-v4.txt
>
>
> Hi, 
> We are looking to roll out HBase and are in the process to design the security model.

> We are looking to implement global DBAs and Namespace specific administrators. 
> So for example the global dba would create a namespace and grant a user/group admin privileges
within that ns. 
> So that a given ns admin can in turn create objects and grant permission within the given
ns only. 
> We have run into some issues at the ns admin level. It appears that a ns admin can NOT
grant to a grop unless it also has global admin privilege. But once it has global admin privilege
it can grant in any NS not just the one where it has admin privileges. 
> Based on the HBase documentation at http://hbase.apache.org/book.html#appendix_acl_matrix

> Table 13. ACL Matrix 
> Interface	Operation	Permissions 
> AccessController grant(global level) global(A) 
> grant(namespace level) global(A)|NS(A) 
> grant at a namespace level should be possible for someone with global A OR (|) NS A permission.

> As you will see in our test it does not work if NS A permission is granted but global
A permission is not. 
> Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1. 
> {code}
> hbase(main):011:0> scan 'hbase:acl' 
> ROW COLUMN+CELL 
> @ns1 column=l:@hbaseappltest_ns1admin, timestamp=1446676679787, value=XCA 
> {code}
> However: 
> Here you can see that a user who is member of the group hbaseappltest_ns1admin can not
grant a WRX privilege to a group as it is missing global A privilege. 
> {code}
> $hbase shell 
> 15/11/13 10:02:23 INFO Configuration.deprecation: hadoop.native.lib is deprecated. Instead,
use io.native.lib.available 
> HBase Shell; enter 'help<RETURN>' for list of supported commands. 
> Type "exit<RETURN>" to leave the HBase Shell 
> Version 1.0.0-cdh5.4.7, rUnknown, Thu Sep 17 02:25:03 PDT 2015 
> hbase(main):001:0> whoami 
> ns1admin@WLAB.NET (auth:KERBEROS) 
> groups: hbaseappltest_ns1admin 
> hbase(main):002:0> grant '@hbaseappltest_ns1funct' ,'RWX','@ns1' 
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions
for user 'ns1admin' (global, action=ADMIN) 
> {code}
> The way I read the documentation a NS admin should be able to grant as it has ns level
A privilege not only object level permission.
> CDH is a version 5.4.7 and Hbase is version 1.0. 
> Regards, 
> Steven



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message