You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Matteo Bertozzi (JIRA)" <ji...@apache.org> on 2012/05/05 22:19:51 UTC
[jira] [Created] (HBASE-5947) Check for valid
user/table/family/qualifier and acl state
Matteo Bertozzi created HBASE-5947:
--------------------------------------
Summary: Check for valid user/table/family/qualifier and acl state
Key: HBASE-5947
URL: https://issues.apache.org/jira/browse/HBASE-5947
Project: HBase
Issue Type: Sub-task
Components: security
Affects Versions: 0.92.1, 0.94.0, 0.96.0
Reporter: Matteo Bertozzi
Assignee: Matteo Bertozzi
HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
We might also want to ensure, upon table/column creation, that no entries are already stored at the acl table. We might still have residual acl entries if something goes wrong, in postDeleteTable(), postDeleteColumn().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5947) Check for valid
user/table/family/qualifier and acl state
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13292890#comment-13292890 ]
Laxman commented on HBASE-5947:
-------------------------------
@Matt, any update on this issue?
> Check for valid user/table/family/qualifier and acl state
> ---------------------------------------------------------
>
> Key: HBASE-5947
> URL: https://issues.apache.org/jira/browse/HBASE-5947
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Labels: acl
>
> HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
> We might also want to ensure, upon table/column creation, that no entries are already stored at the acl table. We might still have residual acl entries if something goes wrong, in postDeleteTable(), postDeleteColumn().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5947) Check for valid
user/table/family/qualifier and acl state
Posted by "Enis Soztutar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13293075#comment-13293075 ]
Enis Soztutar commented on HBASE-5947:
--------------------------------------
Then let's reduce the scope for this issue to be:
- Check for table / cf existence in grant. not sure about revoke, since we may end up in an inconsistent state between ACL and table metadata, so revoke can just remove what is available in ACL table.
- Ensure that there is no table/cf/qualifier level permissions are stored in ACL in preCreateTable
> Check for valid user/table/family/qualifier and acl state
> ---------------------------------------------------------
>
> Key: HBASE-5947
> URL: https://issues.apache.org/jira/browse/HBASE-5947
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Labels: acl
>
> HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
> We might also want to ensure, upon table/column creation, that no entries are already stored at the acl table. We might still have residual acl entries if something goes wrong, in postDeleteTable(), postDeleteColumn().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5947) Check for valid
user/table/family/qualifier and acl state
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13486215#comment-13486215 ]
Andrew Purtell commented on HBASE-5947:
---------------------------------------
[~enis] or [~mbertozzi] I'd like to close out everything under HBASE-6096 starting with HBASE-5352. If neither of you have anything here I'll take this:
{quote}
- Check for table / cf existence in grant. not sure about revoke, since we may end up in an inconsistent state between ACL and table metadata, so revoke can just remove what is available in ACL table.
- Ensure that there is no table/cf/qualifier level permissions are stored in ACL in preCreateTable
{quote}
> Check for valid user/table/family/qualifier and acl state
> ---------------------------------------------------------
>
> Key: HBASE-5947
> URL: https://issues.apache.org/jira/browse/HBASE-5947
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Labels: acl
>
> HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
> We might also want to ensure, upon table/column creation, that no entries are already stored at the acl table. We might still have residual acl entries if something goes wrong, in postDeleteTable(), postDeleteColumn().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5947) Check for valid
user/table/family/qualifier and acl state
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13292970#comment-13292970 ]
Matteo Bertozzi commented on HBASE-5947:
----------------------------------------
@Enis maybe not, since unless we have an ldap server or something similar we've no way to decide which user are available...
> Check for valid user/table/family/qualifier and acl state
> ---------------------------------------------------------
>
> Key: HBASE-5947
> URL: https://issues.apache.org/jira/browse/HBASE-5947
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Labels: acl
>
> HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
> We might also want to ensure, upon table/column creation, that no entries are already stored at the acl table. We might still have residual acl entries if something goes wrong, in postDeleteTable(), postDeleteColumn().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5947) Check for valid
user/table/family/qualifier and acl state
Posted by "Enis Soztutar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13292959#comment-13292959 ]
Enis Soztutar commented on HBASE-5947:
--------------------------------------
Are we sure we want to check for users?
> Check for valid user/table/family/qualifier and acl state
> ---------------------------------------------------------
>
> Key: HBASE-5947
> URL: https://issues.apache.org/jira/browse/HBASE-5947
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Labels: acl
>
> HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
> We might also want to ensure, upon table/column creation, that no entries are already stored at the acl table. We might still have residual acl entries if something goes wrong, in postDeleteTable(), postDeleteColumn().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5947) Check for valid
user/table/family/qualifier and acl state
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13270645#comment-13270645 ]
Andrew Purtell commented on HBASE-5947:
---------------------------------------
bq. HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
There is an existence check done for the table/family.
{code}
def grant(user, permissions, table_name, family=nil, qualifier=nil)
security_available?
# Table should exist
raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name)
htd = @admin.getTableDescriptor(table_name.to_java_bytes)
if (family != nil)
raise(ArgumentError, "Can't find a family: #{family}") unless htd.hasFamily(family.to_java_bytes)
end
{code}
Did you mean this sort of checking is not done at the (Java) API level?
How do you suggest to check for the existence of the user?
> Check for valid user/table/family/qualifier and acl state
> ---------------------------------------------------------
>
> Key: HBASE-5947
> URL: https://issues.apache.org/jira/browse/HBASE-5947
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Labels: acl
>
> HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
> We might also want to ensure, upon table/column creation, that no entries are already stored at the acl table. We might still have residual acl entries if something goes wrong, in postDeleteTable(), postDeleteColumn().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5947) Check for valid
user/table/family/qualifier and acl state
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13292950#comment-13292950 ]
Laxman commented on HBASE-5947:
-------------------------------
:) I just asked as I noticed parent issue can be closed if this issue is closed.
bq. But if you want take the ownership of this, go ahead!
I'm not comfortable with LDAP. Will check once and get back to you on this.
A brief approach may be helpful for me to understand.
> Check for valid user/table/family/qualifier and acl state
> ---------------------------------------------------------
>
> Key: HBASE-5947
> URL: https://issues.apache.org/jira/browse/HBASE-5947
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Labels: acl
>
> HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
> We might also want to ensure, upon table/column creation, that no entries are already stored at the acl table. We might still have residual acl entries if something goes wrong, in postDeleteTable(), postDeleteColumn().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5947) Check for valid
user/table/family/qualifier and acl state
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13292906#comment-13292906 ]
Matteo Bertozzi commented on HBASE-5947:
----------------------------------------
No news on that... check for column qualifier require a deep scan or keeping ref-counted qualifiers somewhere. For user is not that easy unless we have some ldap integration or similar.
But if you want take the ownership of this, go ahead!
> Check for valid user/table/family/qualifier and acl state
> ---------------------------------------------------------
>
> Key: HBASE-5947
> URL: https://issues.apache.org/jira/browse/HBASE-5947
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Labels: acl
>
> HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
> We might also want to ensure, upon table/column creation, that no entries are already stored at the acl table. We might still have residual acl entries if something goes wrong, in postDeleteTable(), postDeleteColumn().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5947) Check for valid
user/table/family/qualifier and acl state
Posted by "Enis Soztutar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13292951#comment-13292951 ]
Enis Soztutar commented on HBASE-5947:
--------------------------------------
bq. No news on that... check for column qualifier require a deep scan or keeping ref-counted qualifiers somewhere.
For qualifiers, I think it is fine to not enforce that they exists, but we should check for table / cf. For preCreateTable, and postDelete, we have to do the scan on ACL table, not on the actual table, no?
> Check for valid user/table/family/qualifier and acl state
> ---------------------------------------------------------
>
> Key: HBASE-5947
> URL: https://issues.apache.org/jira/browse/HBASE-5947
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Labels: acl
>
> HBase Shell grant/revoke doesn't check for valid user or table/family/qualifier so can you end up having rights for something that doesn't exists.
> We might also want to ensure, upon table/column creation, that no entries are already stored at the acl table. We might still have residual acl entries if something goes wrong, in postDeleteTable(), postDeleteColumn().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira