hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "li xiang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-10879) user_permission shell command on namespace doesn't work
Date Sat, 20 Feb 2016 10:15:18 GMT

    [ https://issues.apache.org/jira/browse/HBASE-10879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15155540#comment-15155540

li xiang commented on HBASE-10879:

Hi Ted, I am working on HBASE-14818 and it is based on the function called getUserPermissions()
contributed by you in this JIRA. I found that the request sent is with type = Namespace, but
the response returned contains Global permissions. I am not sure if I understand it correctly
or it might be a bug. Could you please review my findings follow:

It is in hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java, from
line 2380, and I made some comments into it
   * A utility used to get permissions for selected namespace.
   * <p>
   * It's also called by the shell, in case you want to find references.
   * @param protocol the AccessControlService protocol proxy
   * @param namespace name of the namespace
   * @throws ServiceException
  public static List<UserPermission> getUserPermissions(
      AccessControlService.BlockingInterface protocol,
      byte[] namespace) throws ServiceException {
    AccessControlProtos.GetUserPermissionsRequest.Builder builder =
    if (namespace != null) {
    builder.setType(AccessControlProtos.Permission.Type.Namespace);  //builder is set with
type = Namespace
    AccessControlProtos.GetUserPermissionsRequest request = builder.build();  //I printed
the request, its type is Namespace, which is correct.
    AccessControlProtos.GetUserPermissionsResponse response =  
       protocol.getUserPermissions(null, request);
/* I printed the response, it contains Global permissions, as below, not a Namespace permission.

user_permission {
  user: "a1"
  permission {
    type: Global
    global_permission {
      action: READ
      action: WRITE
      action: ADMIN
      action: EXEC
      action: CREATE

AccessControlProtos.GetUserPermissionsRequest has a member called type_ to store the type,
but AccessControlProtos.GetUserPermissionsResponse does not.
    List<UserPermission> perms = new ArrayList<UserPermission>(response.getUserPermissionCount());
    for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) {
      perms.add(ProtobufUtil.toUserPermission(perm));  // (1)
    return perms;

The perms returned are all Global user permissions. But I feel that in this function, you
might would like to return a list of Namespace user permission.
If it is the case, the line with "//(1)" above can be changed from
perms.add(new UserPermission(perm.getUser().toByteArray(), Bytes.toString(namespace), toTablePermission(perm.getPermission()).getActions()));

ProtobufUtil.toUserPermission() calls toTablePermission() which acts differently according
to Global/Namespace/Table user permission types. If perm sent to toTablePermission() has type=Namespace
set, the namespace field can be set. But the permissions returned by response.getUserPermissionList()
has type=Global.

It is quite wired that I grant a Namespace user permission, and then send a getUserPermission
request which is also with type=Namespace,  but the response returned contains a list of Global
user permission. Do you know why?

> user_permission shell command on namespace doesn't work
> -------------------------------------------------------
>                 Key: HBASE-10879
>                 URL: https://issues.apache.org/jira/browse/HBASE-10879
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>             Fix For: 0.98.2, 0.96.3
>         Attachments: 10879-v1.txt, 10879-v2.txt
> Currently user_permission command on namespace, e.g.
> {code}
> user_permission '@ns'
> {code}
> would result in the following exception:
> {code}
> Exception `NameError' at /usr/lib/hbase/lib/ruby/hbase/security.rb:170 - no method 'getUserPermissions'
for arguments (org.apache.hadoop.hbase.protobuf.generated.          AccessControlProtos.AccessControlService.BlockingStub,org.jruby.java.proxies.ArrayJavaProxy)
on Java::OrgApacheHadoopHbaseProtobuf::ProtobufUtil
> ERROR: no method 'getUserPermissions' for arguments (org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.BlockingStub,org.jruby.java.
      proxies.ArrayJavaProxy) on Java::OrgApacheHadoopHbaseProtobuf::ProtobufUtil
> Backtrace: /usr/lib/hbase/lib/ruby/hbase/security.rb:170:in `user_permission'
>            /usr/lib/hbase/lib/ruby/shell/commands/user_permission.rb:39:in `command'
>            org/jruby/RubyKernel.java:2109:in `send'
>            /usr/lib/hbase/lib/ruby/shell/commands.rb:34:in `command_safe'
>            /usr/lib/hbase/lib/ruby/shell/commands.rb:91:in `translate_hbase_exceptions'
>            /usr/lib/hbase/lib/ruby/shell/commands.rb:34:in `command_safe'
>            /usr/lib/hbase/lib/ruby/shell.rb:127:in `internal_command'
>            /usr/lib/hbase/lib/ruby/shell.rb:119:in `command'
>            (eval):2:in `user_permission'
>            (hbase):1:in `evaluate'
>            org/jruby/RubyKernel.java:1112:in `eval'
> {code}

This message was sent by Atlassian JIRA

View raw message