[
https://issues.apache.org/jira/browse/HBASE-12536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Purtell resolved HBASE-12536.
------------------------------------
Resolution: Fixed
Hadoop Flags: Reviewed
> Reduce the effective scope of GLOBAL CREATE and ADMIN permission
> ----------------------------------------------------------------
>
> Key: HBASE-12536
> URL: https://issues.apache.org/jira/browse/HBASE-12536
> Project: HBase
> Issue Type: Bug
> Components: security
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Fix For: 2.0.0, 0.99.2, 0.98.8, 0.94.24
>
> Attachments: HBASE-12536-0.94.patch, HBASE-12536-0.98.patch,
> HBASE-12536.patch
>
>
> The current implementation of the AccessController grants users with *GLOBAL*
> CREATE or ADMIN privilege implicit write access to the META and ACL tables,
> so when a new table is created new entries can be added to META and ACL
> appropriately in the pre and post handlers with the credentials supplied in
> the RPC context. Although any user with GLOBAL CREATE or ADMIN is already
> superuser-like in many respects, the implicit write privilege is an artifact
> of implementation that should be changed. We can remove the implicit write
> access. After doing so, users with GLOBAL CREATE will not be able to elevate
> their privileges unexpectedly through direct access to the ACL table. A
> GLOBAL ADMIN will be still correctly be allowed to grant themselves any
> desired privilege.
> This issue was discovered and raised by [~devaraj] on private@hbase as a
> potential security issue and was included in the 0.94.24 and 0.98.8 releases
> prior to the filing of this JIRA.
> I've set the priority of this issue only at 'Major' since it only affects
> users with GLOBAL CREATE or ADMIN privilege. GLOBAL ADMIN is already a
> superuser, and GLOBAL CREATE likewise should already also be considered
> superuser-lite access and sparingly granted to trusted personnel.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
