You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2015/11/14 17:44:11 UTC
[jira] [Commented] (HBASE-14809) Namespace admin permission granted
to group
[ https://issues.apache.org/jira/browse/HBASE-14809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15005471#comment-15005471 ]
Hadoop QA commented on HBASE-14809:
-----------------------------------
{color:green}+1 overall{color}. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12772369/14809-v3.txt
against master branch at commit 1fa7b71cf82cc30757ecf5d2a8e0cfba654ed469.
ATTACHMENT ID: 12772369
{color:green}+1 @author{color}. The patch does not contain any @author tags.
{color:green}+1 tests included{color}. The patch appears to include 3 new or modified tests.
{color:green}+1 hadoop versions{color}. The patch compiles with all supported hadoop versions (2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.0 2.6.1 2.7.0 2.7.1)
{color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings.
{color:green}+1 protoc{color}. The applied patch does not increase the total number of protoc compiler warnings.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages.
{color:green}+1 checkstyle{color}. The applied patch does not increase the total number of checkstyle errors
{color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings.
{color:green}+1 lineLengths{color}. The patch does not introduce lines longer than 100
{color:green}+1 site{color}. The mvn post-site goal succeeds with this patch.
{color:red}-1 core tests{color}. The patch failed these unit tests:
Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/16521//testReport/
Release Findbugs (version 2.0.3) warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/16521//artifact/patchprocess/newFindbugsWarnings.html
Checkstyle Errors: https://builds.apache.org/job/PreCommit-HBASE-Build/16521//artifact/patchprocess/checkstyle-aggregate.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/16521//console
This message is automatically generated.
> Namespace admin permission granted to group
> --------------------------------------------
>
> Key: HBASE-14809
> URL: https://issues.apache.org/jira/browse/HBASE-14809
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.2
> Reporter: Steven Hancz
> Assignee: Ted Yu
> Attachments: 14809-v1.txt, 14809-v2.txt, 14809-v3.txt
>
>
> Hi,
> We are looking to roll out HBase and are in the process to design the security model.
> We are looking to implement global DBAs and Namespace specific administrators.
> So for example the global dba would create a namespace and grant a user/group admin privileges within that ns.
> So that a given ns admin can in turn create objects and grant permission within the given ns only.
> We have run into some issues at the ns admin level. It appears that a ns admin can NOT grant to a grop unless it also has global admin privilege. But once it has global admin privilege it can grant in any NS not just the one where it has admin privileges.
> Based on the HBase documentation at http://hbase.apache.org/book.html#appendix_acl_matrix
> Table 13. ACL Matrix
> Interface Operation Permissions
> AccessController grant(global level) global(A)
> grant(namespace level) global(A)|NS(A)
> grant at a namespace level should be possible for someone with global A OR (|) NS A permission.
> As you will see in our test it does not work if NS A permission is granted but global A permission is not.
> Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1.
> {code}
> hbase(main):011:0> scan 'hbase:acl'
> ROW COLUMN+CELL
> @ns1 column=l:@hbaseappltest_ns1admin, timestamp=1446676679787, value=XCA
> {code}
> However:
> Here you can see that a user who is member of the group hbaseappltest_ns1admin can not grant a WRX privilege to a group as it is missing global A privilege.
> {code}
> $hbase shell
> 15/11/13 10:02:23 INFO Configuration.deprecation: hadoop.native.lib is deprecated. Instead, use io.native.lib.available
> HBase Shell; enter 'help<RETURN>' for list of supported commands.
> Type "exit<RETURN>" to leave the HBase Shell
> Version 1.0.0-cdh5.4.7, rUnknown, Thu Sep 17 02:25:03 PDT 2015
> hbase(main):001:0> whoami
> ns1admin@WLAB.NET (auth:KERBEROS)
> groups: hbaseappltest_ns1admin
> hbase(main):002:0> grant '@hbaseappltest_ns1funct' ,'RWX','@ns1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'ns1admin' (global, action=ADMIN)
> {code}
> The way I read the documentation a NS admin should be able to grant as it has ns level A privilege not only object level permission.
> CDH is a version 5.4.7 and Hbase is version 1.0.
> Regards,
> Steven
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)