[ https://issues.apache.org/jira/browse/HBASE-8692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13694869#comment-13694869 ]
stack commented on HBASE-8692: ------------------------------ This looks to have broke TestAccessController. See http://54.241.6.143/job/HBase-0.95-Hadoop-2/org.apache.hbase$hbase-server/508/testReport/org.apache.hadoop.hbase.security.access/TestAccessController/testBulkLoad/ I added debug to the exception: Expected action to pass for user 'rwuser' but was denied: org.apache.hadoop.hbase.exceptions.AccessDeniedException: org.apache.hadoop.hbase.exceptions.AccessDeniedException: Insufficient permissions (user=rwuser, scope=testBulkLoad, family=, action=CREATE) at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:351) at org.apache.hadoop.hbase.security.access.AccessController.preGetTableDescriptors(AccessController.java:1391) at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preGetTableDescriptors(MasterCoprocessorHost.java:1125) at org.apache.hadoop.hbase.master.HMaster.getTableDescriptors(HMaster.java:2418) at org.apache.hadoop.hbase.protobuf.generated.MasterMonitorProtos$MasterMonitorService$2.callBlockingMethod(MasterMonitorProtos.java:2702) at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2122) at org.apache.hadoop.hbase.ipc.RpcServer$Handler.run(RpcServer.java:1829) The rwuser does not have the now required CREATE permission. The testBulkLoad has been failing solidly for a while now. I'll disable it for the moment till this addressed over in HBASE-8799 > [AccessController] Restrict HTableDescriptor enumeration > -------------------------------------------------------- > > Key: HBASE-8692 > URL: https://issues.apache.org/jira/browse/HBASE-8692 > Project: HBase > Issue Type: Improvement > Components: Coprocessors, security > Affects Versions: 0.98.0, 0.95.1, 0.94.9 > Reporter: Andrew Purtell > Assignee: Andrew Purtell > Fix For: 0.98.0, 0.95.2, 0.94.9 > > Attachments: 8692-0.94.patch, 8692-0.94.patch, 8692-0.94.patch, > 8692-0.94.patch, 8692.patch, 8692.patch, 8692.patch, 8692.patch > > > Some users are concerned about having table schema exposed to every user and > would like it protected, similar to the rest of the admin operations for > schema. > This used to be hopeless because META would leak HTableDescriptors in > HRegionInfo, but that is no longer the case in 0.94+. > Consider adding CP hooks in the master for intercepting > HMasterInterface#getHTableDescriptors and > HMasterInterface#getHTableDescriptors(List<String>). Add support in the > AccessController for only allowing GLOBAL ADMIN to the first method. Add > support in the AccessController for allowing access to the descriptors for > the table names in the list of the second method only if the user has TABLE > ADMIN privilege for all of the listed table names. > Then, fix the code in HBaseAdmin (and elsewhere) that expects to be able to > enumerate all table descriptors e.g. in deleteTable. A TABLE ADMIN can delete > a table but won’t have GLOBAL ADMIN privilege to enumerate the total list. So > a minor fixup is needed here, and in other places like this which make the > same assumption. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira