[jira] [Commented] (HBASE-9206) namespace permissions

Fri, 16 Aug 2013 08:50:16 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-9206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13742326#comment-13742326
 ] 

Andrew Purtell commented on HBASE-9206:
---------------------------------------

bq. Small nitpick, namespace doesn't have schema

The namespace itself is schema. 

'M' works. 

bq. Shouldn't 'R' on a table be enough to read schema and 'S' for manipulating 
it

I don't believe so. Some users want a user or application to be able to read 
table data yet not be able to access sensitive metadata in the schema, an HCD 
attribute, for example. That was the motivation for HBASE-8692. 

bq. For #4. On a "list by namespace" command how about we hide tables a user 
does not have any privilege to? 

There's precedent as AccessControlFilter. So we would have to go back and add a 
CP hook in getTableNames/listTableNames after all. Maybe a filter like 
interface for the descriptor enumeration there.

bq. can we make cell level an exception?

We could.

bq. If you have a namespace 'C' then it should translate to being able to 
create a table in a namespace.

+1


                
> namespace permissions
> ---------------------
>
>                 Key: HBASE-9206
>                 URL: https://issues.apache.org/jira/browse/HBASE-9206
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Francis Liu
>
> Now that we have namespaces let's address how we can give admins more 
> flexibility.
> Let's list out the privileges we'd like. Then we can map it to existing 
> privileges and see if we need more. 
> So far we have:
> 1. Modify namespace descriptor (ie quota, other values)
> 2. create namespace
> 3. delete namespace
> 4. list tables in namespace
> 5. create/drop tables in a namespace
> 6. All namespace's tables create
> 7. All namespace's tables write
> 8. All namespace's tables execute
> 9. All namespace's tables delete
> 10. All namespace's tables admin
> 1-3, is currently set to global admin only. Which seems acceptable to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to