You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "li xiang (JIRA)" <ji...@apache.org> on 2016/02/20 11:15:18 UTC
[jira] [Commented] (HBASE-10879) user_permission shell command on
namespace doesn't work
[ https://issues.apache.org/jira/browse/HBASE-10879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15155540#comment-15155540 ]
li xiang commented on HBASE-10879:
----------------------------------
Hi Ted, I am working on HBASE-14818 and it is based on the function called getUserPermissions() contributed by you in this JIRA. I found that the request sent is with type = Namespace, but the response returned contains Global permissions. I am not sure if I understand it correctly or it might be a bug. Could you please review my findings follow:
It is in hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java, from line 2380, and I made some comments into it
{code}
/**
* A utility used to get permissions for selected namespace.
* <p>
* It's also called by the shell, in case you want to find references.
*
* @param protocol the AccessControlService protocol proxy
* @param namespace name of the namespace
* @throws ServiceException
*/
public static List<UserPermission> getUserPermissions(
AccessControlService.BlockingInterface protocol,
byte[] namespace) throws ServiceException {
AccessControlProtos.GetUserPermissionsRequest.Builder builder =
AccessControlProtos.GetUserPermissionsRequest.newBuilder();
if (namespace != null) {
builder.setNamespaceName(ByteStringer.wrap(namespace));
}
builder.setType(AccessControlProtos.Permission.Type.Namespace); //builder is set with type = Namespace
AccessControlProtos.GetUserPermissionsRequest request = builder.build(); //I printed the request, its type is Namespace, which is correct.
AccessControlProtos.GetUserPermissionsResponse response =
protocol.getUserPermissions(null, request);
/* I printed the response, it contains Global permissions, as below, not a Namespace permission. Why?
user_permission {
user: "a1"
permission {
type: Global
global_permission {
action: READ
action: WRITE
action: ADMIN
action: EXEC
action: CREATE
}
}
}
AccessControlProtos.GetUserPermissionsRequest has a member called type_ to store the type, but AccessControlProtos.GetUserPermissionsResponse does not.
*/
List<UserPermission> perms = new ArrayList<UserPermission>(response.getUserPermissionCount());
for (AccessControlProtos.UserPermission perm: response.getUserPermissionList()) {
perms.add(ProtobufUtil.toUserPermission(perm)); // (1)
}
return perms;
}
The perms returned are all Global user permissions. But I feel that in this function, you might would like to return a list of Namespace user permission.
If it is the case, the line with "//(1)" above can be changed from
from
{code}
perms.add(ProtobufUtil.toUserPermission(perm));
{code}
to
{code}
perms.add(new UserPermission(perm.getUser().toByteArray(), Bytes.toString(namespace), toTablePermission(perm.getPermission()).getActions()));
{code}
ProtobufUtil.toUserPermission() calls toTablePermission() which acts differently according to Global/Namespace/Table user permission types. If perm sent to toTablePermission() has type=Namespace set, the namespace field can be set. But the permissions returned by response.getUserPermissionList() has type=Global.
It is quite wired that I grant a Namespace user permission, and then send a getUserPermission request which is also with type=Namespace, but the response returned contains a list of Global user permission. Do you know why?
> user_permission shell command on namespace doesn't work
> -------------------------------------------------------
>
> Key: HBASE-10879
> URL: https://issues.apache.org/jira/browse/HBASE-10879
> Project: HBase
> Issue Type: Bug
> Reporter: Ted Yu
> Assignee: Ted Yu
> Fix For: 0.98.2, 0.96.3
>
> Attachments: 10879-v1.txt, 10879-v2.txt
>
>
> Currently user_permission command on namespace, e.g.
> {code}
> user_permission '@ns'
> {code}
> would result in the following exception:
> {code}
> Exception `NameError' at /usr/lib/hbase/lib/ruby/hbase/security.rb:170 - no method 'getUserPermissions' for arguments (org.apache.hadoop.hbase.protobuf.generated. AccessControlProtos.AccessControlService.BlockingStub,org.jruby.java.proxies.ArrayJavaProxy) on Java::OrgApacheHadoopHbaseProtobuf::ProtobufUtil
> ERROR: no method 'getUserPermissions' for arguments (org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.BlockingStub,org.jruby.java. proxies.ArrayJavaProxy) on Java::OrgApacheHadoopHbaseProtobuf::ProtobufUtil
> Backtrace: /usr/lib/hbase/lib/ruby/hbase/security.rb:170:in `user_permission'
> /usr/lib/hbase/lib/ruby/shell/commands/user_permission.rb:39:in `command'
> org/jruby/RubyKernel.java:2109:in `send'
> /usr/lib/hbase/lib/ruby/shell/commands.rb:34:in `command_safe'
> /usr/lib/hbase/lib/ruby/shell/commands.rb:91:in `translate_hbase_exceptions'
> /usr/lib/hbase/lib/ruby/shell/commands.rb:34:in `command_safe'
> /usr/lib/hbase/lib/ruby/shell.rb:127:in `internal_command'
> /usr/lib/hbase/lib/ruby/shell.rb:119:in `command'
> (eval):2:in `user_permission'
> (hbase):1:in `evaluate'
> org/jruby/RubyKernel.java:1112:in `eval'
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)