You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Alok Lal (JIRA)" <ji...@apache.org> on 2015/06/06 00:38:00 UTC
[jira] [Updated] (RANGER-533) Hbase plugin: if user does not have
family-level access to any family in a table then user may be incorrectly
denied access done at table/family level during get or scan
[ https://issues.apache.org/jira/browse/RANGER-533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alok Lal updated RANGER-533:
----------------------------
Fix Version/s: (was: 0.5.0)
> Hbase plugin: if user does not have family-level access to any family in a table then user may be incorrectly denied access done at table/family level during get or scan
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-533
> URL: https://issues.apache.org/jira/browse/RANGER-533
> Project: Ranger
> Issue Type: Bug
> Affects Versions: 0.4.0
> Reporter: Alok Lal
> Assignee: Alok Lal
>
> Consider the following series of hbase shell commands
> {code}
> disable 'tab1'
> drop 'tab1'
> create 'tab1', 'fam1', 'fam2', 'fam3'
> put 'tab1', 'row1', 'fam1:col1', 'fam1-col1-value'
> put 'tab1', 'row1', 'fam1:col2', 'fam1-col2-value'
> put 'tab1', 'row1', 'fam2:col1', 'fam2-col1-value'
> {code}
> Imagine that there are users it1 and it2 both belonging to user group IT. Let's grant them following access:
> {code}
> grant '@IT', 'R', 'tab1', 'fam1', 'col1'
> grant 'it2', 'R', 'tab1', 'fam2'
> {code}
> After this if user it1 does any of the following accesses then user won't get back any rows, even thought we would expect the user to get back 'row1' with data for 'fam1:col1'
> {code}
> scan 'tab1'
> scan 'tab1', 'fam1'
> get 'tab1', 'row1'
> get 'tab1', 'row1', 'fam1'
> {code}
> However, doing the following works as expected.
> {code}
> scan 'tab1', 'fam1', 'col1'
> get 'tab1', 'row1', 'fam1', 'col2'
> {code}
> Further user it2 gets right results when it does the following, i.e. she gets back results from both 'fam1:col1' and 'fam2;col1'
> {code}
> scan 'tab1'
> scan 'tab1', 'fam1'
> get 'tab1', 'row1'
> get 'tab1', 'row1', 'fam1'
> {code}
> This happens because for user it1 (from group IT) there is no column family to which it has family-level access in table 'tab1'. She only has partial access to 'fam1' and no access to 'fam2'. Where as while user it2 has partial access to fam1 since she has full access to fam2 the final results are right and include values from both fam1 and fam2.
> Workaround for this issue is to create a dummy family in a table and give full access to that dummy family to all users that otherwise don't full access to any other column family of that table.
> So in the above example if you were to give the following grant then results of user it1 would be corrected:
> {code}
> grant '@IT', 'R', 'tab1', 'fam3'
> {code}
> In practice most often users have family level access so incidents of this issue in the field might be less.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)