You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Anoop Sam John (JIRA)" <ji...@apache.org> on 2014/09/03 22:52:51 UTC
[jira] [Comment Edited] (HBASE-11886) The creator of the table
should have all permissions on the table
[ https://issues.apache.org/jira/browse/HBASE-11886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14120427#comment-14120427 ]
Anoop Sam John edited comment on HBASE-11886 at 9/3/14 8:51 PM:
----------------------------------------------------------------
bq.Since the master does HDFS operations when operations like createTable are called, it might be an issue, no?
I think no issue. Because the op will be performed with master identity only. RequestContext is used to know who is the active user. RequestContext is HBase class and in HDFS we will be getting the user not from this. By a change in RequestContext ThreadLocal, we make sure in the flow wherever in HBase code, we check for the user from RequestContext , it is the RPC user who initiated the flow.
Am ok not to do this change if there is a risk factor and need more time for tests. Andy would like to get the next RC soon I believe.
+1 with just changing the part of getting activeUser from RequestContext.(instead UserProvider.instantiate(conf).getCurrent()) Mind adding a comment why we do this so that it will be easy for some one who read the code later.
was (Author: anoop.hbase):
bq.Since the master does HDFS operations when operations like createTable are called, it might be an issue, no?
I think no issue. Because the op will be performed with master identity only. RequestContext is used to know who is the active user. RequestContext is HBase class and in HDFS we will be getting the user not from this. By a change in RequestContext ThreadLocal, we make sure in the flow wherever in HBase code, we check for the user from RequestContext , it is the RPC user who initiated the flow.
Am ok not to do this change if there is a risk factor and need more time for tests. Andy would like to get the next RC soon I believe.
+1 with just changing the part of getting activeUser from RequestContext. Mind adding a comment why we do this so that it will be easy for some one who read the code later.
> The creator of the table should have all permissions on the table
> -----------------------------------------------------------------
>
> Key: HBASE-11886
> URL: https://issues.apache.org/jira/browse/HBASE-11886
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.98.3
> Reporter: Devaraj Das
> Assignee: Devaraj Das
> Priority: Critical
> Fix For: 0.99.0, 2.0.0, 0.98.6
>
> Attachments: 11886-1.txt
>
>
> In our testing of 0.98.4 with security ON, we found that table creator doesn't have RWXCA on the created table. Instead, the user representing the HBase daemon gets all permissions. Due to this the table creator can't write to the table he just created. I am suspecting HBASE-11275 introduced the problem.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)