You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Gopinathan A (JIRA)" <ji...@apache.org> on 2012/06/21 15:46:42 UTC
[jira] [Created] (HBASE-6253) isLegalTableName API should check for
the _acl_ table name
Gopinathan A created HBASE-6253:
-----------------------------------
Summary: isLegalTableName API should check for the _acl_ table name
Key: HBASE-6253
URL: https://issues.apache.org/jira/browse/HBASE-6253
Project: HBase
Issue Type: Bug
Affects Versions: 0.94.0
Reporter: Gopinathan A
Fix For: 0.94.1
Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) Do not allow user to disable or drop
ACL table
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Purtell updated HBASE-6253:
----------------------------------
Issue Type: Sub-task (was: Bug)
Parent: HBASE-5352
> Do not allow user to disable or drop ACL table
> ----------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Do not allow user to disable or
drop ACL table
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13428741#comment-13428741 ]
Hudson commented on HBASE-6253:
-------------------------------
Integrated in HBase-0.94-security-on-Hadoop-23 #6 (See [https://builds.apache.org/job/HBase-0.94-security-on-Hadoop-23/6/])
HBASE-6253. Do not allow user to disable or drop ACL table (Gopinathan) (Revision 1358030)
Result = FAILURE
apurtell :
Files :
* /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
> Do not allow user to disable or drop ACL table
> ----------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Assignee: Gopinathan A
> Labels: security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check
for the _acl_ table name
Posted by "Gopinathan A (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398694#comment-13398694 ]
Gopinathan A commented on HBASE-6253:
-------------------------------------
I felt even authorized user should not able to perform disable/drop operation.
> isLegalTableName API should check for the _acl_ table name
> ----------------------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) Dont allow user to disable/drop _acl_
table
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Laxman updated HBASE-6253:
--------------------------
Component/s: security
Affects Version/s: 0.94.1
0.96.0
Labels: security (was: )
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check
for the _acl_ table name
Posted by "Gopinathan A (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13399057#comment-13399057 ]
Gopinathan A commented on HBASE-6253:
-------------------------------------
I agree with your point. I will rework on this patch.
> isLegalTableName API should check for the _acl_ table name
> ----------------------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (HBASE-6253) isLegalTableName API should
check for the _acl_ table name
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398658#comment-13398658 ]
Andrew Purtell edited comment on HBASE-6253 at 6/21/12 6:03 PM:
----------------------------------------------------------------
How can a user drop the ACL table if they are not authorized to do it?
The string {{_ acl _}} as table name has no special meaning unless the AccessController is installed. So -1 a core change that encodes it.
Edit: Fix formatting (kind of)
was (Author: apurtell):
How can a user drop the ACL table if they are not authorized to do it?
The string "_acl_" as table name has no meaning unless the AccessController is installed. So -1 a core change that encodes it.
> isLegalTableName API should check for the _acl_ table name
> ----------------------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check
for the _acl_ table name
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398658#comment-13398658 ]
Andrew Purtell commented on HBASE-6253:
---------------------------------------
How can a user drop the ACL table if they are not authorized to do it?
The string "_acl_" as table name has no meaning unless the AccessController is installed. So -1 a core change that encodes it.
> isLegalTableName API should check for the _acl_ table name
> ----------------------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check
for the _acl_ table name
Posted by "Zhihong Ted Yu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398583#comment-13398583 ]
Zhihong Ted Yu commented on HBASE-6253:
---------------------------------------
Have you run all security related tests ?
With this patch, how would _acl_ table be created on a clean cluster ?
> isLegalTableName API should check for the _acl_ table name
> ----------------------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HBASE-6253) Do not allow user to disable or drop
ACL table
Posted by "ramkrishna.s.vasudevan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ramkrishna.s.vasudevan reassigned HBASE-6253:
---------------------------------------------
Assignee: Gopinathan A
> Do not allow user to disable or drop ACL table
> ----------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Assignee: Gopinathan A
> Labels: security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) Dont allow user to disable/drop _acl_
table
Posted by "Gopinathan A (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gopinathan A updated HBASE-6253:
--------------------------------
Summary: Dont allow user to disable/drop _acl_ table (was: isLegalTableName API should check for the _acl_ table name)
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Dont allow user to disable/drop
_acl_ table
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13400294#comment-13400294 ]
Laxman commented on HBASE-6253:
-------------------------------
should we consider disallowing all DDL operations (add/delete/modify column)?
with online schema change, its not mandatory that we need to diable the table.
that means, we can drop the columns of "acl" table even now.
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Do not allow user to disable or
drop ACL table
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13407713#comment-13407713 ]
Hudson commented on HBASE-6253:
-------------------------------
Integrated in HBase-0.94 #301 (See [https://builds.apache.org/job/HBase-0.94/301/])
HBASE-6253. Do not allow user to disable or drop ACL table (Gopinathan) (Revision 1358030)
Result = FAILURE
apurtell :
Files :
* /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
> Do not allow user to disable or drop ACL table
> ----------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Dont allow user to disable/drop
_acl_ table
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13407647#comment-13407647 ]
Andrew Purtell commented on HBASE-6253:
---------------------------------------
I have these changes queued for commit to trunk and 0.94 branch. Will commit after local tests pass.
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) Do not allow user to disable or drop
ACL table
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Purtell updated HBASE-6253:
----------------------------------
Summary: Do not allow user to disable or drop ACL table (was: Dont allow user to disable/drop _acl_ table)
> Do not allow user to disable or drop ACL table
> ----------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Dont allow user to disable/drop
_acl_ table
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13400666#comment-13400666 ]
Andrew Purtell commented on HBASE-6253:
---------------------------------------
bq. should we consider disallowing all DDL operations (add/delete/modify column)? with online schema change, its not mandatory that we need to diable the table. that means, we can drop the columns of "acl" table even now.
Concur.
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) isLegalTableName API should check for
the _acl_ table name
Posted by "Gopinathan A (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gopinathan A updated HBASE-6253:
--------------------------------
Attachment: HBASE-6253.patch
> isLegalTableName API should check for the _acl_ table name
> ----------------------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check
for the _acl_ table name
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398695#comment-13398695 ]
Andrew Purtell commented on HBASE-6253:
---------------------------------------
-1 any core code change here. Protect against the drop in the AccessController.
> isLegalTableName API should check for the _acl_ table name
> ----------------------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Dont allow user to disable/drop
_acl_ table
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13400317#comment-13400317 ]
Hadoop QA commented on HBASE-6253:
----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12533259/HBASE-6253.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 3 new or modified tests.
+1 hadoop2.0. The patch compiles against the hadoop 2.0 profile.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
-1 findbugs. The patch appears to introduce 11 new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed unit tests in .
Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/2247//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2247//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2247//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/2247//console
This message is automatically generated.
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Dont allow user to disable/drop
_acl_ table
Posted by "ramkrishna.s.vasudevan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13400297#comment-13400297 ]
ramkrishna.s.vasudevan commented on HBASE-6253:
-----------------------------------------------
I think its better we fix keeping online schema changes also.
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (HBASE-6253) Do not allow user to disable or drop
ACL table
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lars Hofhansl closed HBASE-6253.
--------------------------------
> Do not allow user to disable or drop ACL table
> ----------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.1, 0.96.0
> Reporter: Gopinathan A
> Assignee: Gopinathan A
> Labels: security
> Fix For: 0.94.1, 0.96.0
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Dont allow user to disable/drop
_acl_ table
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13400665#comment-13400665 ]
Andrew Purtell commented on HBASE-6253:
---------------------------------------
+1 on patch
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Do not allow user to disable or
drop ACL table
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13411170#comment-13411170 ]
Hudson commented on HBASE-6253:
-------------------------------
Integrated in HBase-0.94-security #39 (See [https://builds.apache.org/job/HBase-0.94-security/39/])
HBASE-6253. Do not allow user to disable or drop ACL table (Gopinathan) (Revision 1358030)
Result = SUCCESS
apurtell :
Files :
* /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
> Do not allow user to disable or drop ACL table
> ----------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) Do not allow user to disable or drop
ACL table
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Purtell updated HBASE-6253:
----------------------------------
Resolution: Fixed
Hadoop Flags: Reviewed
Status: Resolved (was: Patch Available)
Committed to trunk and 0.94 branch. TestAccessController passes locally.
> Do not allow user to disable or drop ACL table
> ----------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) Dont allow user to disable/drop _acl_
table
Posted by "Gopinathan A (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gopinathan A updated HBASE-6253:
--------------------------------
Status: Open (was: Patch Available)
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) Do not allow user to disable or drop
ACL table
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Purtell updated HBASE-6253:
----------------------------------
Affects Version/s: (was: 0.94.0)
Fix Version/s: 0.96.0
> Do not allow user to disable or drop ACL table
> ----------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) isLegalTableName API should check for
the _acl_ table name
Posted by "Gopinathan A (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gopinathan A updated HBASE-6253:
--------------------------------
Status: Patch Available (was: Open)
> isLegalTableName API should check for the _acl_ table name
> ----------------------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Dont allow user to disable/drop
_acl_ table
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13407623#comment-13407623 ]
Lars Hofhansl commented on HBASE-6253:
--------------------------------------
+1 on patch.
Let's tackle online schema change in a separate issue (against 0.94.2).
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check
for the _acl_ table name
Posted by "Gopinathan A (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398656#comment-13398656 ]
Gopinathan A commented on HBASE-6253:
-------------------------------------
Sorry Ted.. I have not run the Security related tests. Your right acl table creation will be failed in this case :(
My main intention to avoid user to perform disable/drop acl table.
I think we can set setMetaFlags as true in HTableDescriptor constructor for _acl_ table also (like ROOT & META). This will solve the table creation problem.
> isLegalTableName API should check for the _acl_ table name
> ----------------------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) Dont allow user to disable/drop
_acl_ table
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13400296#comment-13400296 ]
Laxman commented on HBASE-6253:
-------------------------------
by DDL i consider : AddColumn, ModifyColumn, DeleteColumn, EnableTable, DisableTable, ModifyTable, DeleteTable
Reference: ACL matrix available @ HBASE-6192
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check
for the _acl_ table name
Posted by "ramkrishna.s.vasudevan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398649#comment-13398649 ]
ramkrishna.s.vasudevan commented on HBASE-6253:
-----------------------------------------------
@Ted
{code}
if (!MetaReader.tableExists(master.getCatalogTracker(), ACL_TABLE_NAME_STR)) {
master.createTable(ACL_TABLEDESC, null);
}
{code}
The acl creation goes thro' master.createTable. So it should be ok.
> isLegalTableName API should check for the _acl_ table name
> ----------------------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.94.0
> Reporter: Gopinathan A
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) Dont allow user to disable/drop _acl_
table
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Laxman updated HBASE-6253:
--------------------------
Status: Patch Available (was: Open)
Moving to PA.
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6253) Dont allow user to disable/drop _acl_
table
Posted by "Gopinathan A (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gopinathan A updated HBASE-6253:
--------------------------------
Attachment: HBASE-6253.patch
I considered only disable table scenario in this patch, since table need to be disabled before doing any drop/modify table.
> Dont allow user to disable/drop _acl_ table
> -------------------------------------------
>
> Key: HBASE-6253
> URL: https://issues.apache.org/jira/browse/HBASE-6253
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: Gopinathan A
> Labels: security
> Fix For: 0.94.1
>
> Attachments: HBASE-6253.patch, HBASE-6253.patch
>
>
> Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira