[ https://issues.apache.org/jira/browse/HBASE-8409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13739125#comment-13739125 ]
Hudson commented on HBASE-8409: ------------------------------- FAILURE: Integrated in hbase-0.95 #442 (See [https://builds.apache.org/job/hbase-0.95/442/]) HBASE-8409 Security support for namespaces (stack: rev 1513668) * /hbase/branches/0.95/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java * /hbase/branches/0.95/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/RequestConverter.java * /hbase/branches/0.95/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ResponseConverter.java * /hbase/branches/0.95/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/TablePermission.java * /hbase/branches/0.95/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java * /hbase/branches/0.95/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java * /hbase/branches/0.95/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/AccessControlProtos.java * /hbase/branches/0.95/hbase-protocol/src/main/protobuf/AccessControl.proto * /hbase/branches/0.95/hbase-server/src/main/java/org/apache/hadoop/hbase/migration/NamespaceUpgrade.java * /hbase/branches/0.95/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java * /hbase/branches/0.95/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java * /hbase/branches/0.95/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AuthResult.java * /hbase/branches/0.95/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java * /hbase/branches/0.95/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java * /hbase/branches/0.95/hbase-server/src/main/java/org/apache/hadoop/hbase/thrift/generated/Hbase.java * /hbase/branches/0.95/hbase-server/src/test/data/TestNamespaceUpgrade.tgz * /hbase/branches/0.95/hbase-server/src/test/java/org/apache/hadoop/hbase/mapreduce/TestSecureLoadIncrementalHFiles.java * /hbase/branches/0.95/hbase-server/src/test/java/org/apache/hadoop/hbase/mapreduce/TestSecureLoadIncrementalHFilesSplitRecovery.java * /hbase/branches/0.95/hbase-server/src/test/java/org/apache/hadoop/hbase/migration/TestNamespaceUpgrade.java * /hbase/branches/0.95/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java * /hbase/branches/0.95/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java * /hbase/branches/0.95/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java * /hbase/branches/0.95/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java * /hbase/branches/0.95/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionsWatcher.java > Security support for namespaces > ------------------------------- > > Key: HBASE-8409 > URL: https://issues.apache.org/jira/browse/HBASE-8409 > Project: HBase > Issue Type: Sub-task > Reporter: Francis Liu > Assignee: Vandana Ayyalasomayajula > Priority: Blocker > Fix For: 0.98.0, 0.95.2 > > Attachments: 8409_095.txt, HBASE-8049_trunk.patch, > HBASE-8409_2.patch, HBASE-8409_3.patch, HBASE-8409_4.patch, > TestNamespaceUpgrade.tgz > > > This task adds the security piece to the namespace feature. The work related > to migration of the existing acl table to the new namespace is remaining and > will be completed in the follow up patch. Permissions can be granted to a > namespace by the hbase admin, by appending '@' to the namespace name. A user > with write or admin permissions on a given namespace can create tables in > that namespace. The other privileges (R, X, C ) do not have any special > meaning w.r.t namespaces. Any users of hbase can list tables in a namespace. > > The following commands can only be executed by HBase admins. > 1. Grant privileges for user on Namespace. > 2. Revoke privileges for user on Namespace > Grant Command: > hbase> grant 'tenant-A' 'W' '@N1' > In the above example, the command will grant the user 'tenant-A' write > privileges for a namespace named "N1". > Revoke Command: > hbase> revoke 'tenant-A''@N1' > In the above example, the command will revoke all privileges from user > 'tenant-A' for namespace named "N1". > Lets see an example on how privileges work with namespaces. > > User "Mike" request for a namespace named "hbase_perf" with the hbase admin. > whoami: hbase > hbase shell >> namespace_create 'hbase_perf' > hbase shell >> grant 'mike', 'W', '@hbase_perf' > Mike creates two tables "table20" and "table50" in the above workspace. > whoami: mike > hbase shell >> create 'hbase_perf.table20', 'family1' > hbase shell >> create 'hbase_perf.table50', 'family1' > Note: As Mike was able to create tables 'hbase_perf.table20', > 'hbase_perf.table50', he becomes the owner of those tables. > This means he has "RWXCA" perms on those tables. > Another team member of Mike, Alice wants also to share the same workspace > "hbase_perf". HBase admin grants Alice also permission to create tables in > "hbase_perf" namespace. > whoami: hbase > hbase shell >> grant 'alice', 'W', '@hbase_perf' > Now Alice can create new tables under "hbase_perf" namespace, but cannot > read,write,alter,delete existing tables in the namespace. > > whoami: alice > hbase shell >> namespace_list_tables 'hbase_perf' > hbase_perf.table20 > hbase_perf.table50 > hbase shell >> scan 'hbase_perf.table20' > AccessDeniedException > > If Alice wants to read or write to existing tables in the "hbase_perf" > namespace, hbase admins need to explicitly grant permission. > > whoami: hbase > hbase shell >> grant 'alice', 'RW', 'hbase_perf.table20' > hbase shell >> grant 'alice', 'RW', 'hbase_perf.table50' -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira