[
https://issues.apache.org/jira/browse/HBASE-16203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Enis Soztutar resolved HBASE-16203.
-----------------------------------
Resolution: Invalid
Can you please ask the question u...@hbase.apache.org or dev@hbase.apache.org.
In short, you should give authorization to a principal (like newUser), rather
than an instance of the principle, like "newUser/hostname@DOMAIN".
> may be a bug on hbase authorization
> -----------------------------------
>
> Key: HBASE-16203
> URL: https://issues.apache.org/jira/browse/HBASE-16203
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.98.10
> Reporter: wangyongqiang
>
> in hbase with kerbose and authorization on, I enter hbase shell with a hbase
> super user, and do the following steps:
> {quote}
> 1. grant "newUser/sla...@hadoop.com"
> "newUser/sla...@hadoop.com" is one of the kerbose principles
> 2. exit hbase shell
> 3. enter hbase shell again with principle "newUser/sla...@hadoop.com"
> 4. scan 't1'
> t1 is one of the table in hbase
> {quote}
> the result is: AccessDeniedException
> after debug regionServer code, I find the problem is:
> {quote}
> 1. when we grant the global admin to "newUser/sla...@hadoop.com",
> TableAuthManager store this info with the whole name,
> newUser/sla...@hadoop.com
> 2. when we enter hbase shell with principle "newUser/sla...@hadoop.com" and
> scan table, regionServer will do do authorization check, such as check if the
> user is superUser
> when do this check, use the short name(newUser), not the whole
> name(newUser/sla...@hadoop.com)
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
