[
https://issues.apache.org/jira/browse/HBASE-8692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13735428#comment-13735428
]
Francis Liu commented on HBASE-8692:
------------------------------------
{quote}
It works if the shell is authenticated as a principal with admin privilege.
{quote}
Yeah sorry that's what I meant as majority of users aren't admins and "list" to
me is one of the first thing users do after opening the CLI. Is that the intent
then? Non-admin users can't list tables?
{quote}
No, because the page is rendered by the HBase daemon running under the service
account, which is given superuser privilege. It's expected the UIs are
protected since they leak other sensitive information.
{quote}
Instead of blocking access why not secure it like the other hadoop admin pages?
{quote}
The requirement we had was to protect the descriptors. An expansive reading
would include the table names, but I have no opinion here. A separate API for
that sounds good to me.
{quote}
I see, I'm trying to come up with a clear picture of what should be secured and
what's not in this context. As I'm trying to how things tie in with namespaces
(See HBASE-8409). Presently there's an api to list all the table descriptors of
a given namespace. It sounds like that api should return table names instead.
> [AccessController] Restrict HTableDescriptor enumeration
> --------------------------------------------------------
>
> Key: HBASE-8692
> URL: https://issues.apache.org/jira/browse/HBASE-8692
> Project: HBase
> Issue Type: Improvement
> Components: Coprocessors, security
> Affects Versions: 0.98.0, 0.95.1, 0.94.9
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Fix For: 0.98.0, 0.95.2, 0.94.9
>
> Attachments: 8692-0.94.patch, 8692-0.94.patch, 8692-0.94.patch,
> 8692-0.94.patch, 8692.patch, 8692.patch, 8692.patch, 8692.patch
>
>
> Some users are concerned about having table schema exposed to every user and
> would like it protected, similar to the rest of the admin operations for
> schema.
> This used to be hopeless because META would leak HTableDescriptors in
> HRegionInfo, but that is no longer the case in 0.94+.
> Consider adding CP hooks in the master for intercepting
> HMasterInterface#getHTableDescriptors and
> HMasterInterface#getHTableDescriptors(List<String>). Add support in the
> AccessController for only allowing GLOBAL ADMIN to the first method. Add
> support in the AccessController for allowing access to the descriptors for
> the table names in the list of the second method only if the user has TABLE
> ADMIN privilege for all of the listed table names.
> Then, fix the code in HBaseAdmin (and elsewhere) that expects to be able to
> enumerate all table descriptors e.g. in deleteTable. A TABLE ADMIN can delete
> a table but won’t have GLOBAL ADMIN privilege to enumerate the total list. So
> a minor fixup is needed here, and in other places like this which make the
> same assumption.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
