[ https://issues.apache.org/jira/browse/HBASE-8409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13736474#comment-13736474 ]
stack commented on HBASE-8409: ------------------------------ I know you are following 'convention' but I hate that we have work other than convertion going on in protobufutil; to be addressed in subsequent issues. Regards: + //we need to refacting this into three classes (Global, Table, Namespace) ...what are implications of not refactoring? It all works, it is just ugly? So, this is like a union in that enum says what is following -- a global, ns, or table? + enum Type { + Global = 1; + Namespace = 2; + Table = 3; + } + required Type type = 1; + optional GlobalPermission global_permission = 2; + optional NamespacePermission namespace_permission = 3; + optional TablePermission table_permission = 4; We migrate meta before we rename it now? Patch lgtm. Has new test for new functionality. [~andrew.purt...@gmail.com] What you think boss? Or [~ghelmling]? Thanks lads. > Security support for namespaces > ------------------------------- > > Key: HBASE-8409 > URL: https://issues.apache.org/jira/browse/HBASE-8409 > Project: HBase > Issue Type: Sub-task > Reporter: Francis Liu > Assignee: Vandana Ayyalasomayajula > Priority: Blocker > Fix For: 0.98.0, 0.95.2 > > Attachments: HBASE-8049_trunk.patch, HBASE-8409_2.patch, > TestNamespaceUpgrade.tgz > > > This task adds the security piece to the namespace feature. The work related > to migration of the existing acl table to the new namespace is remaining and > will be completed in the follow up patch. Permissions can be granted to a > namespace by the hbase admin, by appending '@' to the namespace name. A user > with write or admin permissions on a given namespace can create tables in > that namespace. The other privileges (R, X, C ) do not have any special > meaning w.r.t namespaces. Any users of hbase can list tables in a namespace. > > The following commands can only be executed by HBase admins. > 1. Grant privileges for user on Namespace. > 2. Revoke privileges for user on Namespace > Grant Command: > hbase> grant 'tenant-A' 'W' '@N1' > In the above example, the command will grant the user 'tenant-A' write > privileges for a namespace named "N1". > Revoke Command: > hbase> revoke 'tenant-A''@N1' > In the above example, the command will revoke all privileges from user > 'tenant-A' for namespace named "N1". > Lets see an example on how privileges work with namespaces. > > User "Mike" request for a namespace named "hbase_perf" with the hbase admin. > whoami: hbase > hbase shell >> namespace_create 'hbase_perf' > hbase shell >> grant 'mike', 'W', '@hbase_perf' > Mike creates two tables "table20" and "table50" in the above workspace. > whoami: mike > hbase shell >> create 'hbase_perf.table20', 'family1' > hbase shell >> create 'hbase_perf.table50', 'family1' > Note: As Mike was able to create tables 'hbase_perf.table20', > 'hbase_perf.table50', he becomes the owner of those tables. > This means he has "RWXCA" perms on those tables. > Another team member of Mike, Alice wants also to share the same workspace > "hbase_perf". HBase admin grants Alice also permission to create tables in > "hbase_perf" namespace. > whoami: hbase > hbase shell >> grant 'alice', 'W', '@hbase_perf' > Now Alice can create new tables under "hbase_perf" namespace, but cannot > read,write,alter,delete existing tables in the namespace. > > whoami: alice > hbase shell >> namespace_list_tables 'hbase_perf' > hbase_perf.table20 > hbase_perf.table50 > hbase shell >> scan 'hbase_perf.table20' > AccessDeniedException > > If Alice wants to read or write to existing tables in the "hbase_perf" > namespace, hbase admins need to explicitly grant permission. > > whoami: hbase > hbase shell >> grant 'alice', 'RW', 'hbase_perf.table20' > hbase shell >> grant 'alice', 'RW', 'hbase_perf.table50' -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira