You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Matteo Bertozzi (Created) (JIRA)" <ji...@apache.org> on 2012/04/14 00:49:17 UTC
[jira] [Created] (HBASE-5787) Table owner can't disable/delete its
own table
Table owner can't disable/delete its own table
----------------------------------------------
Key: HBASE-5787
URL: https://issues.apache.org/jira/browse/HBASE-5787
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.92.1, 0.94.0, 0.96.0
Reporter: Matteo Bertozzi
Priority: Minor
Attachments: HBASE-5787-v0.patch
An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
{code}
public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
requirePermission(Permission.Action.CREATE);
}
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
byte[] tableName) throws IOException {
/* TODO: Allow for users with global CREATE permission and the table owner */
requirePermission(Permission.Action.ADMIN);
}
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Zhihong Yu (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13253855#comment-13253855 ]
Zhihong Yu commented on HBASE-5787:
-----------------------------------
Patch makes sense.
Please run through security test suite and let us know the result.
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Attachments: HBASE-5787-v0.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13256898#comment-13256898 ]
Hudson commented on HBASE-5787:
-------------------------------
Integrated in HBase-TRUNK #2781 (See [https://builds.apache.org/job/HBase-TRUNK/2781/])
HBASE-5787 Table owner can't disable/delete its own table (Matteo) (Revision 1327605)
Result = FAILURE
tedyu :
Files :
* /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.94.0, 0.96.0
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5787) Table owner can't disable/delete its
own table
Posted by "Matteo Bertozzi (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-5787:
-----------------------------------
Attachment: HBASE-5787-tests-wrong-names.patch
Test seems ok, (tested against 0.94)
I've also attached a patch to fix some "copy-paste" code.
{code}
Running org.apache.hadoop.hbase.security.access.TestZKPermissionsWatcher
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 13.659 sec
Running org.apache.hadoop.hbase.security.access.TestAccessControlFilter
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 18.746 sec
Running org.apache.hadoop.hbase.security.access.TestAccessController
Tests run: 21, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 34.119 sec
Running org.apache.hadoop.hbase.security.access.TestTablePermissions
Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 28.822 sec
Results :
Tests run: 27, Failures: 0, Errors: 0, Skipped: 0
{code}
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Andrew Purtell (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257104#comment-13257104 ]
Andrew Purtell commented on HBASE-5787:
---------------------------------------
This seems fine. The initial implementation had the notion of requiring ADMIN for any table op that has global cluster implications, but then went back and changed that to allow at least users to create tables if they had CREATE permission. The delete case seems a bug. All around an area that required improvement.
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5787) Table owner can't disable/delete its
own table
Posted by "Zhihong Yu (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zhihong Yu updated HBASE-5787:
------------------------------
Fix Version/s: 0.96.0
0.94.0
0.92.2
Hadoop Flags: Reviewed
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.94.0, 0.96.0
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Matteo Bertozzi (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13256747#comment-13256747 ]
Matteo Bertozzi commented on HBASE-5787:
----------------------------------------
any additional thoughts or comments on the patch?
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5787) Table owner can't disable/delete its
own table
Posted by "Lars Hofhansl (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lars Hofhansl updated HBASE-5787:
---------------------------------
Fix Version/s: (was: 0.94.0)
0.94.1
I would like to see some input from the folks who did the security implementation first. Andrew? Gary? Any comments.
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13259506#comment-13259506 ]
Hudson commented on HBASE-5787:
-------------------------------
Integrated in HBase-0.92-security #105 (See [https://builds.apache.org/job/HBase-0.92-security/105/])
HBASE-5787 Table owner can't disable/delete its own table (Matteo) (Revision 1327758)
Result = FAILURE
tedyu :
Files :
* /hbase/branches/0.92/CHANGES.txt
* /hbase/branches/0.92/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/branches/0.92/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257265#comment-13257265 ]
Hudson commented on HBASE-5787:
-------------------------------
Integrated in HBase-TRUNK-security #175 (See [https://builds.apache.org/job/HBase-TRUNK-security/175/])
HBASE-5787 Table owner can't disable/delete its own table (Matteo) (Revision 1327605)
Result = FAILURE
tedyu :
Files :
* /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257712#comment-13257712 ]
Hudson commented on HBASE-5787:
-------------------------------
Integrated in HBase-0.94-security #17 (See [https://builds.apache.org/job/HBase-0.94-security/17/])
HBASE-5787 Table owner can't disable/delete its own table (Matteo) (Revision 1327757)
Result = FAILURE
tedyu :
Files :
* /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5787) Table owner can't disable/delete its
own table
Posted by "Matteo Bertozzi (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-5787:
-----------------------------------
Attachment: HBASE-5787-v0.patch
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Attachments: HBASE-5787-v0.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5787) Table owner can't disable/delete
his/her own table
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lars Hofhansl updated HBASE-5787:
---------------------------------
Fix Version/s: (was: 0.94.1)
0.94.0
> Table owner can't disable/delete his/her own table
> --------------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.94.0, 0.96.0
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Zhihong Yu (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13256862#comment-13256862 ]
Zhihong Yu commented on HBASE-5787:
-----------------------------------
I applied latest patch to 0.92 and was able to run the test:
{code}
Running org.apache.hadoop.hbase.security.access.TestAccessController
Tests run: 21, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 45.115 sec
Results :
Tests run: 21, Failures: 0, Errors: 0, Skipped: 0
{code}
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.94.0, 0.96.0
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Zhihong Yu (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13254336#comment-13254336 ]
Zhihong Yu commented on HBASE-5787:
-----------------------------------
Thanks for the update.
Can you combine the two patches and run through tests again, including the following two ?
{code}
security/src/test//java/org/apache/hadoop/hbase/security/token/TestTokenAuthentication.java
security/src/test//java/org/apache/hadoop/hbase/security/token/TestZKSecretWatcher.java
{code}
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Matteo Bertozzi (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13256785#comment-13256785 ]
Matteo Bertozzi commented on HBASE-5787:
----------------------------------------
except for a getConf() -> getConfiguration() change nothing is changed in AccessController between 0.92 and trunk
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.94.0, 0.96.0
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Zhihong Yu (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257119#comment-13257119 ]
Zhihong Yu commented on HBASE-5787:
-----------------------------------
Thanks for the information, Andy.
Integrated to 0.92 and 0.94 as well.
Thanks for the patch, Matteo.
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5787) Table owner can't disable/delete
his/her own table
Posted by "Zhihong Yu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zhihong Yu updated HBASE-5787:
------------------------------
Summary: Table owner can't disable/delete his/her own table (was: Table owner can't disable/delete its own table)
> Table owner can't disable/delete his/her own table
> --------------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Zhihong Yu (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13256777#comment-13256777 ]
Zhihong Yu commented on HBASE-5787:
-----------------------------------
Inetgrated to trunk.
I think this should go to 0.94.0 as well.
What do you think, Lars ?
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (HBASE-5787) Table owner can't disable/delete its
own table
Posted by "Zhihong Yu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zhihong Yu resolved HBASE-5787.
-------------------------------
Resolution: Fixed
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5787) Table owner can't disable/delete its
own table
Posted by "Matteo Bertozzi (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-5787:
-----------------------------------
Attachment: HBASE-5787-v1.patch
{code}
Running org.apache.hadoop.hbase.security.token.TestTokenAuthentication
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 13.765 sec
Running org.apache.hadoop.hbase.security.token.TestZKSecretWatcher
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 15.958 sec
Results :
Tests run: 2, Failures: 0, Errors: 0, Skipped: 0
{code}
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5787) Table owner can't disable/delete
its own table
Posted by "Hudson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257151#comment-13257151 ]
Hudson commented on HBASE-5787:
-------------------------------
Integrated in HBase-0.94 #131 (See [https://builds.apache.org/job/HBase-0.94/131/])
HBASE-5787 Table owner can't disable/delete its own table (Matteo) (Revision 1327757)
Result = FAILURE
tedyu :
Files :
* /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch, HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HBASE-5787) Table owner can't disable/delete its
own table
Posted by "Matteo Bertozzi (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi reassigned HBASE-5787:
--------------------------------------
Assignee: Matteo Bertozzi
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Attachments: HBASE-5787-v0.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it, because disable operation require ADMIN privileges. Also if a table is already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira