[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14233030#comment-14233030 ]
Ashish Singhi commented on HBASE-12622: --------------------------------------- Yes Anoop you are right. The namespace variable is just being used their for logging, not using it for authorizing. I tested the patch with following scenario, 1. grant 'non-super', 'RWXCA', '@ns' 2.user_permission '@ns' It fails with ADE as there it only checks for global ADMIN permission for user. When I also authorize for namespace, it works fine. That means other five commands using this method to authorize namespace not meeting the developer intention. > user_permission should require global admin to display global and ns > permissions > -------------------------------------------------------------------------------- > > Key: HBASE-12622 > URL: https://issues.apache.org/jira/browse/HBASE-12622 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 2.0.0, 0.98.8, 0.99.2 > Reporter: Matteo Bertozzi > Assignee: Matteo Bertozzi > Fix For: 1.0.0, 2.0.0, 0.98.9 > > Attachments: HBASE-12622-v0.patch > > > user_permission check the user permission only on the table level (requiring > at least a table-level admin) > global and namespace permission listing is done without checking anything. > but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)