You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Enis Soztutar (Created) (JIRA)" <ji...@apache.org> on 2012/02/11 01:07:00 UTC
[jira] [Created] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Delete table/column should delete stored permissions on -acl- table
---------------------------------------------------------------------
Key: HBASE-5385
URL: https://issues.apache.org/jira/browse/HBASE-5385
Project: HBase
Issue Type: Sub-task
Components: security
Affects Versions: 0.94.0
Reporter: Enis Soztutar
Assignee: Enis Soztutar
Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13265451#comment-13265451 ]
Matteo Bertozzi commented on HBASE-5385:
----------------------------------------
{quote}
On preCreateTable and preAddColumn, ensure that the acl table is empty for the table / column. We might still have residual acl entries if smt goes wrong. If so, we should refuse creating a table by throwing a kind of access control exception.
{quote}
Currently there's no check on grant to see if the table/family/qualifier exist.
Maybe we can open another jira for this, to implement the exists check on grant and verify in all pre* if there's nothing left.
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: HBASE-5385-v0.patch, HBASE-5385-v1.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lars Hofhansl closed HBASE-5385.
--------------------------------
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1, 0.96.0
>
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch, HBASE-5385-v3.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Zhihong Yu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273915#comment-13273915 ]
Zhihong Yu commented on HBASE-5385:
-----------------------------------
@Matteo:
Now that HBASE-5342 went in, can you rebase patch v3 :-) ?
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273945#comment-13273945 ]
Hadoop QA commented on HBASE-5385:
----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12526622/HBASE-5385-v3.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 hadoop23. The patch compiles against the hadoop 0.23.x profile.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
-1 findbugs. The patch appears to introduce 31 new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
-1 core tests. The patch failed these unit tests:
org.apache.hadoop.hbase.TestDrainingServer
Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1860//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1860//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1860//console
This message is automatically generated.
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch, HBASE-5385-v3.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273949#comment-13273949 ]
Hudson commented on HBASE-5385:
-------------------------------
Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #2 (See [https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/2/])
HBASE-5385 Delete table/column should delete stored permissions on -acl- table (Matteo Bertozi) (Revision 1337512)
Result = FAILURE
tedyu :
Files :
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch, HBASE-5385-v3.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Zhihong Yu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zhihong Yu updated HBASE-5385:
------------------------------
Attachment: 5385-v3.patch
Patch v3 puts scanner.close() in finally block.
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Enis Soztutar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13265212#comment-13265212 ]
Enis Soztutar commented on HBASE-5385:
--------------------------------------
Looks good. Can we add:
1. Audit logging AccessController.AUDITLOG
2. On preCreateTable and preAddColumn, ensure that the acl table is empty for the table / column. We might still have residual acl entries if smt goes wrong. If so, we should refuse creating a table by throwing a kind of access control exception.
Andrew, any comments?
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: HBASE-5385-v0.patch, HBASE-5385-v1.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-5385:
-----------------------------------
Resolution: Fixed
Fix Version/s: 0.94.1
0.96.0
0.92.2
Status: Resolved (was: Patch Available)
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch, HBASE-5385-v3.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-5385:
-----------------------------------
Status: Patch Available (was: Open)
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: HBASE-5385-v0.patch, HBASE-5385-v1.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi reassigned HBASE-5385:
--------------------------------------
Assignee: Matteo Bertozzi (was: Enis Soztutar)
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273973#comment-13273973 ]
Hudson commented on HBASE-5385:
-------------------------------
Integrated in HBase-TRUNK #2876 (See [https://builds.apache.org/job/HBase-TRUNK/2876/])
HBASE-5385 Delete table/column should delete stored permissions on -acl- table (Matteo Bertozi) (Revision 1337512)
Result = FAILURE
tedyu :
Files :
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch, HBASE-5385-v3.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-5385:
-----------------------------------
Attachment: HBASE-5385-v2.patch
patch rebased, HBASE-5732 went in.
(Also opened HBASE-5947, for the pre/post check for empty acl)
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13265400#comment-13265400 ]
Hadoop QA commented on HBASE-5385:
----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12525101/HBASE-5385-v1.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 hadoop23. The patch compiles against the hadoop 0.23.x profile.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
-1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
-1 core tests. The patch failed these unit tests:
Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1693//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1693//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1693//console
This message is automatically generated.
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: HBASE-5385-v0.patch, HBASE-5385-v1.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Zhihong Yu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273934#comment-13273934 ]
Zhihong Yu commented on HBASE-5385:
-----------------------------------
Patch v3 integrated to trunk.
Thanks for the patch, Matteo.
Thanks for the review, Andy.
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch, HBASE-5385-v3.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-5385:
-----------------------------------
Attachment: HBASE-5385-v0.patch
Remove a table from _acl_ is straightforward, but remove a column from it is not as easy.
The _acl_ table has table name as key, and has one column family that contains user rights.
{code}
tablename -> user -> rights
tablename -> user,family -> rights
tablename -> user,family,qualifier -> rights
{code}
To remove a table column from the _acl_ we need to remove the table rows where the qualifier contains ',family'.
Any thoughts on how to implement that? Adding a Delete Filter?
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: HBASE-5385-v0.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268999#comment-13268999 ]
Andrew Purtell commented on HBASE-5385:
---------------------------------------
+1 looks good.
bq. Maybe we can open another jira for this, to implement the exists check on grant and verify in all pre* if there's nothing left.
This is a good idea since it's a different problem scope than this jira.
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: HBASE-5385-v0.patch, HBASE-5385-v1.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273916#comment-13273916 ]
Hadoop QA commented on HBASE-5385:
----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12526619/5385-v3.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 hadoop23. The patch compiles against the hadoop 0.23.x profile.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
-1 findbugs. The patch appears to introduce 27 new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
-1 core tests. The patch failed these unit tests:
org.apache.hadoop.hbase.TestDrainingServer
Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1859//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1859//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1859//console
This message is automatically generated.
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-5385:
-----------------------------------
Attachment: HBASE-5385-v3.patch
rebase after HBASE-5342 merge
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch, HBASE-5385-v3.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273902#comment-13273902 ]
Hadoop QA commented on HBASE-5385:
----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12526613/HBASE-5385-v2.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 hadoop23. The patch compiles against the hadoop 0.23.x profile.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
-1 findbugs. The patch appears to introduce 27 new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
-1 core tests. The patch failed these unit tests:
org.apache.hadoop.hbase.replication.TestReplication
Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1856//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1856//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1856//console
This message is automatically generated.
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: 5385-v3.patch, HBASE-5385-v0.patch, HBASE-5385-v1.patch, HBASE-5385-v2.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5385) Delete table/column should delete
stored permissions on -acl- table
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5385?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-5385:
-----------------------------------
Attachment: HBASE-5385-v1.patch
Perform a Scan with QualifierFilter to remove a column from the _acl_ table.
> Delete table/column should delete stored permissions on -acl- table
> ---------------------------------------------------------------------
>
> Key: HBASE-5385
> URL: https://issues.apache.org/jira/browse/HBASE-5385
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0
> Reporter: Enis Soztutar
> Assignee: Matteo Bertozzi
> Attachments: HBASE-5385-v0.patch, HBASE-5385-v1.patch
>
>
> Deleting the table or a column does not cascade to the stored permissions at the -acl- table. We should also remove those permissions, otherwise, it can be a security leak, where freshly created tables contain permissions from previous same-named tables. We might also want to ensure, upon table creation, that no entries are already stored at the -acl- table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira