[
https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14233030#comment-14233030
]
Ashish Singhi commented on HBASE-12622:
---------------------------------------
Yes Anoop you are right. The namespace variable is just being used their for
logging, not using it for authorizing.
I tested the patch with following scenario,
1. grant 'non-super', 'RWXCA', '@ns'
2.user_permission '@ns'
It fails with ADE as there it only checks for global ADMIN permission for user.
When I also authorize for namespace, it works fine.
That means other five commands using this method to authorize namespace not
meeting the developer intention.
> user_permission should require global admin to display global and ns
> permissions
> --------------------------------------------------------------------------------
>
> Key: HBASE-12622
> URL: https://issues.apache.org/jira/browse/HBASE-12622
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 2.0.0, 0.98.8, 0.99.2
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Fix For: 1.0.0, 2.0.0, 0.98.9
>
> Attachments: HBASE-12622-v0.patch
>
>
> user_permission check the user permission only on the table level (requiring
> at least a table-level admin)
> global and namespace permission listing is done without checking anything.
> but only a global admins should be able to perform this operations.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
