You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Toshihiro Suzuki (Jira)" <ji...@apache.org> on 2020/07/19 08:30:00 UTC
[jira] [Comment Edited] (HBASE-24744) enable_table_replication
command granting permissions on table automatically for the user
[ https://issues.apache.org/jira/browse/HBASE-24744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17160602#comment-17160602 ]
Toshihiro Suzuki edited comment on HBASE-24744 at 7/19/20, 8:29 AM:
--------------------------------------------------------------------
As [~wchevreuil] mentioned, functionally speaking, this wouldn't be a problem. However as we give super user a special treatment, I don't think we need to add super user to the acl table.
It looks like *enable_table_replication* command involves modifyTable internally and *AccessController* adds a user permission after modifyTable:
https://github.com/apache/hbase/blob/9b02a26a1d3e64fa6df5d89fe5d90f2cd33ca195/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L919
I think we can skip this if the user is super user. Making a PR for this.
Also, I think we can skip it for createTable, as well:
https://github.com/apache/hbase/blob/9b02a26a1d3e64fa6df5d89fe5d90f2cd33ca195/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L820-L821
was (Author: brfrn169):
As [~wchevreuil] mentioned, functionally speaking, this wouldn't be a problem. However as we give super user a special treatment, I don't think we need to add super user to the acl table.
It looks like *enable_table_replication* command involves modifyTable internally and *AccessController* adds a user permission after modifyTable:
https://github.com/apache/hbase/blob/9b02a26a1d3e64fa6df5d89fe5d90f2cd33ca195/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L919
I think we can skip this if the user is super user. Making a RP for this.
Also, I think we can skip it for createTable, as well:
https://github.com/apache/hbase/blob/9b02a26a1d3e64fa6df5d89fe5d90f2cd33ca195/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L820-L821
> enable_table_replication command granting permissions on table automatically for the user
> -----------------------------------------------------------------------------------------
>
> Key: HBASE-24744
> URL: https://issues.apache.org/jira/browse/HBASE-24744
> Project: HBase
> Issue Type: Bug
> Components: acl, security
> Affects Versions: 2.1.0
> Reporter: Dhanalakshmi Periyalwar
> Assignee: Toshihiro Suzuki
> Priority: Minor
>
> While enabling the table replication for the user table as an hbase user using the "enable_table_replication" command, permission has been granted automatically for the hbase user and getting listed in hbase:acl. The same behaviour is applicable to other users too.
> Issue Replication Steps:
> ========================
> hbase(main):001:0> whoami
> dhana (auth:SIMPLE)
> groups: dhana
> Took 0.0214 seconds
> hbase(main):002:0> list
> TABLE
> 0 row(s)
> Took 0.4268 seconds
> => []
> hbase(main):003:0> create 'mytab','f1'
> Created table mytab
> Took 0.7834 seconds
> => Hbase::Table - mytab
> hbase(main):004:0> describe 'mytab'
> Table mytab is ENABLED
> mytab
> COLUMN FAMILIES DESCRIPTION
> \{NAME => 'f1', VERSIONS => '1', EVICT_BLOCKS_ON_CLOSE => 'false', NEW_VERSION_BEHAVIOR => 'false', KE
> EP_DELETED_CELLS => 'FALSE', CACHE_DATA_ON_WRITE => 'false', DATA_BLOCK_ENCODING => 'NONE', TTL => 'F
> OREVER', MIN_VERSIONS => '0', REPLICATION_SCOPE => '0', BLOOMFILTER => 'ROW', CACHE_INDEX_ON_WRITE =>
> 'false', IN_MEMORY => 'false', CACHE_BLOOMS_ON_WRITE => 'false', PREFETCH_BLOCKS_ON_OPEN => 'false',
> COMPRESSION => 'NONE', BLOCKCACHE => 'true', BLOCKSIZE => '65536'}
> 1 row(s)
> Took 0.1319 seconds
> hbase(main):005:0> scan 'hbase:acl'
> ROW COLUMN+CELL
> hbase:acl column=l:dhana, timestamp=1593669605273, value=RWXCA
> mytab column=l:dhana, timestamp=1593673200269, value=RWXCA
> 2 row(s)
> Took 0.0969 seconds
> hbase(main):006:0> exit
> hbase(main):001:0> whoami
> hbase (auth:SIMPLE)
> groups: hbase
> Took 0.0271 seconds
> hbase(main):002:0> scan 'hbase:acl'
> ROW COLUMN+CELL
> hbase:acl column=l:dhana, timestamp=1593669605273, value=RWXCA
> mytab column=l:dhana, timestamp=1593673200269, value=RWXCA
> 2 row(s)
> Took 0.5223 seconds
> hbase(main):003:0> enable_table_replication 'mytab'
> The replication of table 'mytab' successfully enabled
> Took 16.0711 seconds
> hbase(main):004:0> scan 'hbase:acl'
> ROW COLUMN+CELL
> hbase:acl column=l:dhana, timestamp=1593669605273, value=RWXCA
> mytab column=l:dhana, timestamp=1593673200269, value=RWXCA
> mytab column=l:hbase, timestamp=1593673390976, value=RWXCA <========
> 2 row(s)
> Took 0.0089 seconds
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)