[ https://issues.apache.org/jira/browse/HBASE-12536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Purtell resolved HBASE-12536. ------------------------------------ Resolution: Fixed Hadoop Flags: Reviewed > Reduce the effective scope of GLOBAL CREATE and ADMIN permission > ---------------------------------------------------------------- > > Key: HBASE-12536 > URL: https://issues.apache.org/jira/browse/HBASE-12536 > Project: HBase > Issue Type: Bug > Components: security > Reporter: Andrew Purtell > Assignee: Andrew Purtell > Fix For: 2.0.0, 0.99.2, 0.98.8, 0.94.24 > > Attachments: HBASE-12536-0.94.patch, HBASE-12536-0.98.patch, > HBASE-12536.patch > > > The current implementation of the AccessController grants users with *GLOBAL* > CREATE or ADMIN privilege implicit write access to the META and ACL tables, > so when a new table is created new entries can be added to META and ACL > appropriately in the pre and post handlers with the credentials supplied in > the RPC context. Although any user with GLOBAL CREATE or ADMIN is already > superuser-like in many respects, the implicit write privilege is an artifact > of implementation that should be changed. We can remove the implicit write > access. After doing so, users with GLOBAL CREATE will not be able to elevate > their privileges unexpectedly through direct access to the ACL table. A > GLOBAL ADMIN will be still correctly be allowed to grant themselves any > desired privilege. > This issue was discovered and raised by [~devaraj] on private@hbase as a > potential security issue and was included in the 0.94.24 and 0.98.8 releases > prior to the filing of this JIRA. > I've set the priority of this issue only at 'Major' since it only affects > users with GLOBAL CREATE or ADMIN privilege. GLOBAL ADMIN is already a > superuser, and GLOBAL CREATE likewise should already also be considered > superuser-lite access and sparingly granted to trusted personnel. -- This message was sent by Atlassian JIRA (v6.3.4#6332)