hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven Hancz (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-14818) user_permission does not list namespace permissions
Date Mon, 16 Nov 2015 17:09:11 GMT
Steven Hancz created HBASE-14818:

             Summary: user_permission does not list namespace permissions
                 Key: HBASE-14818
                 URL: https://issues.apache.org/jira/browse/HBASE-14818
             Project: HBase
          Issue Type: Bug
          Components: hbase
    Affects Versions: 1.0.2
            Reporter: Steven Hancz
            Priority: Minor

The user_permission command does not list namespace permissions:

For example: if I create a new namespace or use an existing namespace and grant a user privileges
to that namespace the command user_permission does not list the. The permission is visible
in the acl table.

hbase(main):005:0>  create_namespace 'ns3'
0 row(s) in 0.1640 seconds
hbase(main):007:0> grant 'test_user','RWXAC','@ns3'
0 row(s) in 0.5680 seconds
hbase(main):008:0> user_permission '.*'
User                               Namespace,Table,Family,Qualifier:Permission           
 sh82993                           finance,finance:emp,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
 @hbaseglobaldba                   hbase,hbase:acl,,: [Permission: actions=EXEC,CREATE,ADMIN]
 @hbaseglobaloper                  hbase,hbase:acl,,: [Permission: actions=EXEC,ADMIN]   
 hdfs                              hbase,hbase:acl,,: [Permission: actions=READ,WRITE,CREATE,ADMIN,EXEC]
 sh82993                           ns1,ns1:tbl1,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
 ns1admin                          ns1,ns1:tbl2,,: [Permission: actions=EXEC,CREATE,ADMIN]
 @hbaseappltest_ns1funct           ns1,ns1:tbl2,,: [Permission: actions=READ,WRITE,EXEC] 
 ns1funct                          ns1,ns1:tbl2,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
 hbase                             ns2,ns2:tbl1,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
9 row(s) in 1.8090 seconds

As you can see user test_user does not appear in the output, but on can see the permission
in the ACL table. 

hbase(main):001:0>  scan 'hbase:acl'
ROW                                COLUMN+CELL                                           
 @finance                          column=l:sh82993, timestamp=1444405519510, value=RWXCA
 @gcbcppdn                         column=l:hdfs, timestamp=1446141119602, value=RWCXA   
 @hbase                            column=l:hdfs, timestamp=1446141485136, value=RWCAX   
 @ns1                              column=l:@hbaseappltest_ns1admin, timestamp=1447437007467,
 @ns1                              column=l:@hbaseappltest_ns1funct, timestamp=1447427366835,
 @ns2                              column=l:@hbaseappltest_ns2admin, timestamp=1446674470456,
 @ns2                              column=l:test_user, timestamp=1447692840030, value=RWAC
 @ns3                              column=l:test_user, timestamp=1447692860434, value=RWXAC
 finance:emp                       column=l:sh82993, timestamp=1444407723316, value=RWXCA
 hbase:acl                         column=l:@hbaseglobaldba, timestamp=1446590375370, value=XCA
 hbase:acl                         column=l:@hbaseglobaloper, timestamp=1446590387965, value=XA
 hbase:acl                         column=l:hdfs, timestamp=1446141737213, value=RWCAX   
 ns1:tbl1                          column=l:sh82993, timestamp=1446674153058, value=RWXCA
 ns1:tbl2                          column=l:@hbaseappltest_ns1funct, timestamp=1447183824580,
 ns1:tbl2                          column=l:ns1admin, timestamp=1447183766370, value=XCA 
 ns1:tbl2                          column=l:ns1funct, timestamp=1447184077545, value=RWXCA
 ns2:tbl1                          column=l:hbase, timestamp=1447182228314, value=RWXCA  
11 row(s) in 0.4990 seconds

It would be nice to be able to see namespace permissions via the user_permission '.*' command
as scanning the acl table is not the recommended way to view object permissions. Especially
if one is looking to access base via a shell and collect ACL information.


This message was sent by Atlassian JIRA

View raw message