Return-Path: X-Original-To: apmail-hbase-user-archive@www.apache.org Delivered-To: apmail-hbase-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BA47110C34 for ; Wed, 26 Feb 2014 17:00:52 +0000 (UTC) Received: (qmail 92541 invoked by uid 500); 26 Feb 2014 17:00:49 -0000 Delivered-To: apmail-hbase-user-archive@hbase.apache.org Received: (qmail 92440 invoked by uid 500); 26 Feb 2014 17:00:48 -0000 Mailing-List: contact user-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hbase.apache.org Delivered-To: mailing list user@hbase.apache.org Received: (qmail 92432 invoked by uid 99); 26 Feb 2014 17:00:48 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Feb 2014 17:00:48 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of yuzhihong@gmail.com designates 209.85.160.174 as permitted sender) Received: from [209.85.160.174] (HELO mail-yk0-f174.google.com) (209.85.160.174) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Feb 2014 17:00:42 +0000 Received: by mail-yk0-f174.google.com with SMTP id 20so3221177yks.5 for ; Wed, 26 Feb 2014 09:00:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=vOd9fDYYl9HdmARB1NTBeynTcJqN0zKZGs/BU3Qbwe8=; b=VFPotVCWLUBpQHswJJHoe65AGvpK0/n7mZo89Z2fh3c/pJgvjkHz7axHtx9la+Vxr7 2LBzrJ57rtpd243t5yqyEAnW5uAuyj2n98MIJ9nMBHrGGWXEIWo2QbJD8NzP7DDIvB7n mKKbjsTtDvIoS0FeAE2GewwQTdyc0afg7vTw78aEiDofFz/rps+Y/Llt/h3S7NUi8gsC awDpUGCOPyf0lsiSZWT8pupTKpL6R4xCGcrdvsbXzzHRs+79ZJsqZ/M9duab+jHGyjo9 8+p53p/GCoLLy60zhQyN1/fD/tPv5tIWQdrylbPNgr1/tr75uWBIBl5YvPt9F+3KJ4BB 6Ntw== MIME-Version: 1.0 X-Received: by 10.236.81.237 with SMTP id m73mr3332178yhe.29.1393434021307; Wed, 26 Feb 2014 09:00:21 -0800 (PST) Received: by 10.170.79.86 with HTTP; Wed, 26 Feb 2014 09:00:21 -0800 (PST) In-Reply-To: References: Date: Wed, 26 Feb 2014 09:00:21 -0800 Message-ID: Subject: Re: enable/disable table permission From: Ted Yu To: "user@hbase.apache.org" Content-Type: multipart/alternative; boundary=20cf3011dba9dbb01c04f3522366 X-Virus-Checked: Checked by ClamAV on apache.org --20cf3011dba9dbb01c04f3522366 Content-Type: text/plain; charset=ISO-8859-1 I was looking at HBASE-9206 : the last comment was 5 months ago. On Wed, Feb 26, 2014 at 8:57 AM, Alex Nastetsky wrote: > Thanks for all that detail. Re: updating documentation, it looks like there > is a ticket for that: https://issues.apache.org/jira/browse/HBASE-6192 > > My specific use case is to support secure multi-tenancy. It looks like > namespaces is the way to go, and security for them was added in > https://issues.apache.org/jira/browse/HBASE-8409 with additional security > being added in https://issues.apache.org/jira/browse/HBASE-9206. > > > On Tue, Feb 25, 2014 at 7:30 PM, Gary Helmling > wrote: > > > It looks like how the CREATE permission is applied changed with > HBASE-6188, > > which removed the concept of a table owner. Prior to HBASE-6188, the > > disable/enable table permission checks required either: > > > > * ADMIN permission > > or > > * the user is the table owner AND has the CREATE permission > > > > I believe the original intent here was that if you created a table, you > > should be able to disable and modify it. > > > > After HBASE-6188, the check in enable/disable table is simply for either > > ADMIN or CREATE permission. This seems to be the best compromise on > > attempting to maintain some of the previous semantics. > > > > Andrew Purtell commented to this in HBASE-6188: > > > > > > > > CREATE -(DDL) CreateTable, AddColumn, DeleteColumn, DeleteTable, > > ModifyColumn, ModifyTable, DisableTable, EnableTable > > > > ADMIN - All of the above plus Flush, Split, Compact > > > > It's not useful to give add/delete/modify schema privileges without > > enable/disable to have them take effect. So either we do the above or we > > get rid of CREATE. I think the above distinction is still useful. > > > > Edit: I don't like that non-ADMIN can do enable/disable table, because it > > can really affect the cluster if the table is large. However I think on > > balance it would be more confusing than useful to remove EnableTable and > > DisableTable from the set of operations CREATE permission allows until > > online schema update-in-place without disable is always possible. > > > > > > At this point, it may be useful to discuss if we're at the point yet > where > > online schema updates can be reliably done without a table disable. In > > this case, it might make sense to drop disable/enable table from CREATE > > permission. Though we now have backwards compatibility to consider as > > well. > > > > If this could be better reflected in the security documentation, please > do > > open a JIRA describing how we can make it clearer. And if you feel up to > > it, a patch or updated text would be even better. > > > > > > On Tue, Feb 25, 2014 at 12:30 PM, Alex Nastetsky > >wrote: > > > > > I don't really understand how HBase permission is expected to work > then. > > A > > > user needs the Create permission in order to be able to create their > own > > > tables. But that permission also allows them to "drop" and "alter" the > > > tables created by others. Even if those operations are set up to only > > work > > > when a table is disabled, the ability to disable a table is also given > by > > > the Create permission. What am I missing? > > > > > > > > > On Tue, Feb 25, 2014 at 3:25 PM, Alex Nastetsky < > anastetsky@spryinc.com > > > >wrote: > > > > > > > Sounds like either permission is sufficient. Either way, the > > > documentation > > > > could be improved. > > > > > > > > Thanks. > > > > > > > > > > > > On Tue, Feb 25, 2014 at 3:22 PM, Ted Yu wrote: > > > > > > > >> Here is related code from AccessController: > > > >> {code} > > > >> public void > > > >> preDisableTable(ObserverContext > > > >> c, byte[] tableName) > > > >> ... > > > >> requirePermission("disableTable", tableName, null, null, > > > Action.ADMIN, > > > >> Action.CREATE); > > > >> {code} > > > >> requirePermission() iterates through the above permissions and would > > > >> return > > > >> error for the second permission (CREATE) if validation fails. > > > >> > > > >> Cheers > > > >> > > > >> > > > >> On Tue, Feb 25, 2014 at 12:12 PM, Alex Nastetsky < > > > anastetsky@spryinc.com > > > >> >wrote: > > > >> > > > >> > According to > > > >> > > > > >> > > > > >> > > > > > > http://hbase.apache.org/book/hbase.accesscontrol.configuration.html#d2566e5780 > > > >> > , > > > >> > the Enable/Disable operation is controlled by the Admin > permission. > > > >> > However, it seems to be controlled instead by the Create > permission. > > > Is > > > >> > this a bug or a typo in the documentation? > > > >> > > > > >> > hbase(main):002:0> disable 'foo' > > > >> > > > > >> > ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: > > > >> Insufficient > > > >> > permissions (user=anastetsky@SPRY.COM, scope=foo, family=, > > > >> action=CREATE) > > > >> > > > > >> > Thanks in advance, > > > >> > Alex. > > > >> > > > > >> > > > > > > > > > > > > > > --20cf3011dba9dbb01c04f3522366--