[ 
https://issues.apache.org/jira/browse/HBASE-5352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Purtell resolved HBASE-5352.
-----------------------------------

    Resolution: Fixed
      Assignee:     (was: Enis Soztutar)

This umbrella has seen it's day. Will spin out still relevant unfinished 
subtasks to top level issues.

> ACL improvements
> ----------------
>
>                 Key: HBASE-5352
>                 URL: https://issues.apache.org/jira/browse/HBASE-5352
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.92.1, 0.94.0
>            Reporter: Enis Soztutar
>
> In this issue I would like to open discussion for a few minor ACL related 
> improvements. The proposed changes are as follows: 
> 1. Introduce something like 
> AccessControllerProtocol.checkPermissions(Permission[] permissions) API, so 
> that clients can check access rights before carrying out the operations. We 
> need this kind of operation for HCATALOG-245, which introduces authorization 
> providers for hbase over hcat. We cannot use getUserPermissions() since it 
> requires ADMIN permissions on the global/table level.
> 2. getUserPermissions(tableName)/grant/revoke and drop/modify table 
> operations should not check for global CREATE/ADMIN rights, but table 
> CREATE/ADMIN rights. The reasoning is that if a user is able to admin or read 
> from a table, she should be able to read the table's permissions. We can 
> choose whether we want only READ or ADMIN permissions for 
> getUserPermission(). Since we check for global permissions first for table 
> permissions, configuring table access using global permissions will continue 
> to work.  
> 3. Grant/Revoke global permissions - HBASE-5342 (included for completeness)
> From all 3, we may want to backport the first one to 0.92 since without it, 
> Hive/Hcatalog cannot use Hbase's authorization mechanism effectively. 
> I will create subissues and convert HBASE-5342 to a subtask when we get some 
> feedback, and opinions for going further. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to