hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "li xiang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14818) user_permission does not list namespace permissions
Date Thu, 19 May 2016 16:01:12 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15291365#comment-15291365

li xiang commented on HBASE-14818:

Hi Ashish, thanks for the comments!

Previously, I mean, without any patch, regex match is only supported for table. This is why
the output when user passes '.*' includes table permissions only. When the input starts with
"@", the logic is to exactly match the namespace name, but not regex matching. The patch v2
and v3 is to add the support for regex matching when it starts with "@". 

The reason why I still respect the behavior that "@" is for namespace only, and  if no "@",
it is for table only, is that I do not want to mix them together. I tried to add the logic(in
patch v1) to support that when user passes '.*' , table and namespace are both scanned, but
it result in a behavior change: Previously, suppose there is a namespace called "ns3", user_permission
'ns3' returns nothing, because it is treated as a table name. But with the patch v1, user_permission
'ns3' will list the permissions for namespace ns3. It seems break the rule that the namespace
must start with "@“

> user_permission does not list namespace permissions
> ---------------------------------------------------
>                 Key: HBASE-14818
>                 URL: https://issues.apache.org/jira/browse/HBASE-14818
>             Project: HBase
>          Issue Type: Bug
>          Components: hbase
>    Affects Versions: 1.2.0
>            Reporter: Steven Hancz
>            Assignee: li xiang
>            Priority: Minor
>             Fix For: master
>         Attachments: HBASE-14818-master-v3.patch, HBASE-14818-v0.patch, HBASE-14818-v1.patch,
> The user_permission command does not list namespace permissions:
> For example: if I create a new namespace or use an existing namespace and grant a user
privileges to that namespace, the command user_permission does not list it. The permission
is visible in the acl table.
> Example:
> hbase(main):005:0>  create_namespace 'ns3'
> 0 row(s) in 0.1640 seconds
> hbase(main):007:0> grant 'test_user','RWXAC','@ns3'
> 0 row(s) in 0.5680 seconds
> hbase(main):008:0> user_permission '.*'
> User                               Namespace,Table,Family,Qualifier:Permission      
>  sh82993                           finance,finance:emp,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
>  @hbaseglobaldba                   hbase,hbase:acl,,: [Permission: actions=EXEC,CREATE,ADMIN]
>  @hbaseglobaloper                  hbase,hbase:acl,,: [Permission: actions=EXEC,ADMIN]
>  hdfs                              hbase,hbase:acl,,: [Permission: actions=READ,WRITE,CREATE,ADMIN,EXEC]
>  sh82993                           ns1,ns1:tbl1,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
>  ns1admin                          ns1,ns1:tbl2,,: [Permission: actions=EXEC,CREATE,ADMIN]
>  @hbaseappltest_ns1funct           ns1,ns1:tbl2,,: [Permission: actions=READ,WRITE,EXEC]
>  ns1funct                          ns1,ns1:tbl2,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
>  hbase                             ns2,ns2:tbl1,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
> 9 row(s) in 1.8090 seconds
> As you can see user test_user does not appear in the output, but we can see the permission
in the ACL table. 
> hbase(main):001:0>  scan 'hbase:acl'
> ROW                                COLUMN+CELL                                      
>  @finance                          column=l:sh82993, timestamp=1444405519510, value=RWXCA
>  @gcbcppdn                         column=l:hdfs, timestamp=1446141119602, value=RWCXA
>  @hbase                            column=l:hdfs, timestamp=1446141485136, value=RWCAX
>  @ns1                              column=l:@hbaseappltest_ns1admin, timestamp=1447437007467,
>  @ns1                              column=l:@hbaseappltest_ns1funct, timestamp=1447427366835,
>  @ns2                              column=l:@hbaseappltest_ns2admin, timestamp=1446674470456,
>  @ns2                              column=l:test_user, timestamp=1447692840030, value=RWAC
>  @ns3                              column=l:test_user, timestamp=1447692860434, value=RWXAC
>  finance:emp                       column=l:sh82993, timestamp=1444407723316, value=RWXCA
>  hbase:acl                         column=l:@hbaseglobaldba, timestamp=1446590375370,
>  hbase:acl                         column=l:@hbaseglobaloper, timestamp=1446590387965,
>  hbase:acl                         column=l:hdfs, timestamp=1446141737213, value=RWCAX
>  ns1:tbl1                          column=l:sh82993, timestamp=1446674153058, value=RWXCA
>  ns1:tbl2                          column=l:@hbaseappltest_ns1funct, timestamp=1447183824580,
>  ns1:tbl2                          column=l:ns1admin, timestamp=1447183766370, value=XCA
>  ns1:tbl2                          column=l:ns1funct, timestamp=1447184077545, value=RWXCA
>  ns2:tbl1                          column=l:hbase, timestamp=1447182228314, value=RWXCA
> 11 row(s) in 0.4990 seconds
> It would be nice to be able to see namespace permissions via the user_permission '.*'
command as scanning the acl table is not the recommended way to view object permissions. Especially
if one is looking to access base via a shell and collect ACL information.
> Steven

This message was sent by Atlassian JIRA

View raw message