[GitHub] [accumulo] ctubbsii commented on a diff in pull request #3011: Add ALTER_NAMESPACE permission for root user to Accumulo and Default namespaces

[GitBox <gi...@apache.org>]

ctubbsii commented on code in PR #3011:
URL: https://github.com/apache/accumulo/pull/3011#discussion_r992743703


##########
server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKPermHandler.java:
##########
@@ -396,11 +398,14 @@ public void initializeSecurity(TCredentials itw, String rootuser)
     tablePerms.put(RootTable.ID, Collections.singleton(TablePermission.ALTER_TABLE));
     tablePerms.put(MetadataTable.ID, Collections.singleton(TablePermission.ALTER_TABLE));
     // essentially the same but on the system namespace, the ALTER_TABLE permission is now redundant
+    // After PR #2994 which added security checks for configuration we need to also add
+    // ALTER_NAMESPACE
+    // to both Default and Accumulo Namespaces for the root user.
     Map<NamespaceId,Set<NamespacePermission>> namespacePerms = new HashMap<>();
-    namespacePerms.put(Namespace.ACCUMULO.id(),
+    namespacePerms.put(Namespace.DEFAULT.id(),

Review Comment:
   > You can't remove this or it doesn't work. You have to grant ALTER_NAMESPACE to the default namespace or else when you use the config command as the root user on a table in the default namespace you get a permission error.
   
   Yeah, that's the desired behavior. The root user does not get permissions by default to any user namespaces, including the default namespace (which is really only a legacy namespace intended for user tables, to preserve the ability to specify an unqualified table name, like before the namespace feature was added).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org