Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 9BBC5200C6F for ; Tue, 9 May 2017 13:58:11 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 98AEE160BB3; Tue, 9 May 2017 11:58:11 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id B8810160BB6 for ; Tue, 9 May 2017 13:58:10 +0200 (CEST) Received: (qmail 2342 invoked by uid 500); 9 May 2017 11:58:09 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 2224 invoked by uid 99); 9 May 2017 11:58:09 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 May 2017 11:58:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 459D21AF987 for ; Tue, 9 May 2017 11:58:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id p-m_VgAX7HsS for ; Tue, 9 May 2017 11:58:07 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 10C7E5F4A7 for ; Tue, 9 May 2017 11:58:07 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id CF0B9E0D55 for ; Tue, 9 May 2017 11:58:05 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 8853C21DFB for ; Tue, 9 May 2017 11:58:04 +0000 (UTC) Date: Tue, 9 May 2017 11:58:04 +0000 (UTC) From: "Zheng Hu (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (HBASE-11013) Clone Snapshots on Secure Cluster Should provide option to apply Retained User Permissions MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 09 May 2017 11:58:11 -0000 [ https://issues.apache.org/jira/browse/HBASE-11013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16002551#comment-16002551 ] Zheng Hu edited comment on HBASE-11013 at 5/9/17 11:57 AM: ----------------------------------------------------------- [~tedyu], Sure. we can test it by following shell command (I did not implement ruby shell command in patch v1, and made up it in patch v2): {code} hbase(main):034:0> grant 'user1', 'RW', 't1' Took 0.0970 seconds hbase(main):035:0> grant 'user2', 'R', 't1' Took 0.0850 seconds hbase(main):036:0> grant 'user3', 'RWXCA', 't1' Took 0.0830 seconds hbase(main):037:0> user_permission 't1' User Namespace,Table,Family,Qualifier:Permission user1 default,t1,,: [Permission: actions=READ,WRITE] user2 default,t1,,: [Permission: actions=READ] user3 default,t1,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN] 3 row(s) Took 0.0460 seconds hbase(main):038:0> snapshot 't1', 'snapT1' Took 0.3580 seconds hbase(main):039:0> clone_snapshot 'snapT1', 'tableWithAcl', {RESTORE_ACL=>true} Took 0.8660 seconds hbase(main):040:0> user_permission 'tableWithAcl' User Namespace,Table,Family,Qualifier:Permission user1 default,tableWithAcl,,: [Permission: actions=READ,WRITE] user2 default,tableWithAcl,,: [Permission: actions=READ] openinx default,tableWithAcl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN] user3 default,tableWithAcl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN] 4 row(s) Took 0.0430 seconds hbase(main):041:0> clone_snapshot 'snapT1', 'tableWithoutAcl' Took 0.3620 seconds hbase(main):042:0> user_permission 'tableWithoutAcl' User Namespace,Table,Family,Qualifier:Permission openinx default,tableWithoutAcl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN] 1 row(s) {code} ps: openinx is the user who execute shell command. Thanks for your feedback. was (Author: openinx): [~tedyu], Sure. we can test it by following shell command (I did not implement ruby shell command in patch v1, and did it in patch v2): {code} hbase(main):034:0> grant 'user1', 'RW', 't1' Took 0.0970 seconds hbase(main):035:0> grant 'user2', 'R', 't1' Took 0.0850 seconds hbase(main):036:0> grant 'user3', 'RWXCA', 't1' Took 0.0830 seconds hbase(main):037:0> user_permission 't1' User Namespace,Table,Family,Qualifier:Permission user1 default,t1,,: [Permission: actions=READ,WRITE] user2 default,t1,,: [Permission: actions=READ] user3 default,t1,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN] 3 row(s) Took 0.0460 seconds hbase(main):038:0> snapshot 't1', 'snapT1' Took 0.3580 seconds hbase(main):039:0> clone_snapshot 'snapT1', 'tableWithAcl', {RESTORE_ACL=>true} Took 0.8660 seconds hbase(main):040:0> user_permission 'tableWithAcl' User Namespace,Table,Family,Qualifier:Permission user1 default,tableWithAcl,,: [Permission: actions=READ,WRITE] user2 default,tableWithAcl,,: [Permission: actions=READ] openinx default,tableWithAcl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN] user3 default,tableWithAcl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN] 4 row(s) Took 0.0430 seconds hbase(main):041:0> clone_snapshot 'snapT1', 'tableWithoutAcl' Took 0.3620 seconds hbase(main):042:0> user_permission 'tableWithoutAcl' User Namespace,Table,Family,Qualifier:Permission openinx default,tableWithoutAcl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN] 1 row(s) {code} ps: openinx is the user who execute shell command. Thanks for your feedback. > Clone Snapshots on Secure Cluster Should provide option to apply Retained User Permissions > ------------------------------------------------------------------------------------------ > > Key: HBASE-11013 > URL: https://issues.apache.org/jira/browse/HBASE-11013 > Project: HBase > Issue Type: Improvement > Components: snapshots > Reporter: Ted Yu > Assignee: Zheng Hu > Attachments: HBASE-11013.v1.patch, HBASE-11013.v2.patch > > > Currently, > {code} > sudo su - test_user > create 't1', 'f1' > sudo su - hbase > snapshot 't1', 'snap_one' > clone_snapshot 'snap_one', 't2' > {code} > In this scenario the user - test_user would not have permissions for the clone table t2. > We need to add improvement feature such that the permissions of the original table are recorded in snapshot metadata and an option is provided for applying them to the new table as part of the clone process. -- This message was sent by Atlassian JIRA (v6.3.15#6346)