hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Kim <benkimkim...@gmail.com>
Subject Re: accessing _acl_ from hbase client
Date Mon, 04 Jun 2012 09:17:37 GMT
Granting and revoking RW permission to a user defined table works fine.

Granting and revoking RW permission to .META. and -ROOT- don't work, but
this makes sense bc users aren't suppose to modify these tables.(only reads
are allowed)

Granting and revoking RW permission to _acl_ don't work. why? (I wan't
specific user like Admin to control the ACL)

I'm running a client code with a user "Ben". and here's what i did...

   - First, doing a scan on _acl_ worked without any permission settings.
   - Then, from the hbase command line, I granted RW permission on _acl_
   table to "Ben", scanning from the client worked again.
   - Now, I revoked RW permission on _acl_ table of "Ben", now scanning
   from the client didn't work.
   - So, I re-granted RW permission on _acl_ table of "Ben", scanning
   doesn't work. :(

also granting permissions to _acl_, doesn't seem to effect the output of
the user_permission.

user_permission '_acl_'  always prints empty result.


BTW, I'm running hbase-0.94.0 on a single machine


Ben

On Mon, Jun 4, 2012 at 5:23 PM, Andrew Purtell <apurtell@apache.org> wrote:

> There are shell commands available for managing ACLs: grant, revoke, and
> user_permission. Use these.
>
>    - Andy
>
> On Monday, June 4, 2012, Anoop Sam John wrote:
>
> > Hi
> >
> > >it's sort of funny that I can still access the -ROOT- & .META. tables
> > >without permissions. Do you think this is a bug? or am I doing something
> > >wrong?
> > No.  The catalog tables are given with read permission for every one as
> > the client scans these tables in Put/Scan cases for other tables.
> >
> > You can use grant() and remove() functions provided in AccessController
> > for controlling the users and admins etc.
> >
> > -Anoop-
> > ________________________________________
> > From: Ben Kim [benkimkimben@gmail.com <javascript:;>]
> > Sent: Monday, June 04, 2012 11:53 AM
> > To: user@hbase.apache.org <javascript:;>
> > Subject: accessing _acl_ from hbase client
> >
> > Is there any way a client can access the _acl_ table?
> > I want an administrator to be able to control the user access to all
> > tables.
> > In order to do this I'll need to access the _acl_ table from the HBase
> > client.
> > I'm thinking of something like Mysql user table which has all access
> > permissions to tables.
> >
> > I already tried giving _acl_ access permission to the Admin user, (grant
> > 'Admin', 'RW', '_acl_')
> > but scanning through the _acl_ table with Admin user wasn't allowed.
> >
> > it's sort of funny that I can still access the -ROOT- & .META. tables
> > without permissions. Do you think this is a bug? or am I doing something
> > wrong?
> >
> > Thank you in advance.
> > --
> >
> > *Benjamin Kim*
> > *benkimkimben at gmail*
> >
>
>
> --
> Best regards,
>
>   - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)
>



-- 

*Benjamin Kim*
**Mo : +82 10.5357.0521*
benkimkimben at gmail*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message