hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <andrew.purt...@gmail.com>
Subject Re: accessing _acl_ from hbase client
Date Mon, 04 Jun 2012 09:35:49 GMT
You need to pretend like the _acl_ table does not exist. It is an implementation detail. It's
like META and ROOT, another system table. 

Currently only the superuser can run the grant and revoke commands. This is a principal that
can be configured with the property hbase.superuser but is by default the service principal
under which the HBase daemons are running. This is by design. However in a future version
of the AccessController it is likely the ADMIN permission will be grantable for delegating
grant and revoke permissions to other users on a global or per table basis. 

    - Andy

On Jun 4, 2012, at 11:17 AM, Ben Kim <benkimkimben@gmail.com> wrote:

> Granting and revoking RW permission to a user defined table works fine.
> Granting and revoking RW permission to .META. and -ROOT- don't work, but
> this makes sense bc users aren't suppose to modify these tables.(only reads
> are allowed)
> Granting and revoking RW permission to _acl_ don't work. why? (I wan't
> specific user like Admin to control the ACL)
> I'm running a client code with a user "Ben". and here's what i did...
>   - First, doing a scan on _acl_ worked without any permission settings.
>   - Then, from the hbase command line, I granted RW permission on _acl_
>   table to "Ben", scanning from the client worked again.
>   - Now, I revoked RW permission on _acl_ table of "Ben", now scanning
>   from the client didn't work.
>   - So, I re-granted RW permission on _acl_ table of "Ben", scanning
>   doesn't work. :(
> also granting permissions to _acl_, doesn't seem to effect the output of
> the user_permission.
> user_permission '_acl_'  always prints empty result.
> BTW, I'm running hbase-0.94.0 on a single machine
> Ben
> On Mon, Jun 4, 2012 at 5:23 PM, Andrew Purtell <apurtell@apache.org> wrote:
>> There are shell commands available for managing ACLs: grant, revoke, and
>> user_permission. Use these.
>>   - Andy
>> On Monday, June 4, 2012, Anoop Sam John wrote:
>>> Hi
>>>> it's sort of funny that I can still access the -ROOT- & .META. tables
>>>> without permissions. Do you think this is a bug? or am I doing something
>>>> wrong?
>>> No.  The catalog tables are given with read permission for every one as
>>> the client scans these tables in Put/Scan cases for other tables.
>>> You can use grant() and remove() functions provided in AccessController
>>> for controlling the users and admins etc.
>>> -Anoop-
>>> ________________________________________
>>> From: Ben Kim [benkimkimben@gmail.com <javascript:;>]
>>> Sent: Monday, June 04, 2012 11:53 AM
>>> To: user@hbase.apache.org <javascript:;>
>>> Subject: accessing _acl_ from hbase client
>>> Is there any way a client can access the _acl_ table?
>>> I want an administrator to be able to control the user access to all
>>> tables.
>>> In order to do this I'll need to access the _acl_ table from the HBase
>>> client.
>>> I'm thinking of something like Mysql user table which has all access
>>> permissions to tables.
>>> I already tried giving _acl_ access permission to the Admin user, (grant
>>> 'Admin', 'RW', '_acl_')
>>> but scanning through the _acl_ table with Admin user wasn't allowed.
>>> it's sort of funny that I can still access the -ROOT- & .META. tables
>>> without permissions. Do you think this is a bug? or am I doing something
>>> wrong?
>>> Thank you in advance.
>>> --
>>> *Benjamin Kim*
>>> *benkimkimben at gmail*
>> --
>> Best regards,
>>  - Andy
>> Problems worthy of attack prove their worth by hitting back. - Piet Hein
>> (via Tom White)
> -- 
> *Benjamin Kim*
> **Mo : +82 10.5357.0521*
> benkimkimben at gmail*

View raw message