[jira] [Updated] (HBASE-12348) preModifyColumn and preDeleteColumn in AC denies user to perform its operation though it has required rights

Fri, 05 Dec 2014 02:58:25 -0800 

     [ 
https://issues.apache.org/jira/browse/HBASE-12348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ashish Singhi updated HBASE-12348:
----------------------------------
      Description: 
A user with ADMIN and CREATE rights {{only on the column family}} is denied 
from performing DeleteColumn and ModifyColumn operations on the table.

also 

Family name can be added in audit log for addColumn
{noformat}
alter 't', 'd2'
2014-10-27 20:44:45,635 TRACE 
SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access 
allowed for user ashish; reason: Table permission granted; remote address: 
/10.18.40.106; request: addColumn; context: (user=ashish, scope=t, family=, 
action=ADMIN)
{noformat}

  was:
Family name can be added in audit log for addColumn, deleteColumn  and 
modifyColumn operations similar to createTable operation.

{noformat}
create 't', 'd'
2014-10-27 20:41:54,303 TRACE 
SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access 
allowed for user ashish; reason: Global check allowed; remote address: 
/10.18.40.106; request: createTable; context: (user=ashish, scope=t, family=d, 
action=CREATE)

alter 't', NAME => 'd', VERSIONS => 5
2014-10-27 20:42:54,771 TRACE 
SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access 
allowed for user ashish; reason: Table permission granted; remote address: 
/10.18.40.106; request: modifyColumn; context: (user=ashish, scope=t, family=, 
action=ADMIN)

alter 't', 'd2'
2014-10-27 20:44:45,635 TRACE 
SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access 
allowed for user ashish; reason: Table permission granted; remote address: 
/10.18.40.106; request: addColumn; context: (user=ashish, scope=t, family=, 
action=ADMIN)

alter 't', NAME => 'd2', METHOD => 'delete'
2014-10-27 20:45:25,681 TRACE 
SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access 
allowed for user ashish; reason: Table permission granted; remote address: 
/10.18.40.106; request: deleteColumn; context: (user=ashish, scope=t, family=, 
action=ADMIN)

{noformat}

         Priority: Major  (was: Minor)
    Fix Version/s: 0.98.9
                   2.0.0
                   1.0.0
       Issue Type: Bug  (was: Improvement)
          Summary: preModifyColumn and preDeleteColumn in AC denies user to 
perform its operation though it has required rights  (was: Add family name in 
audit log for addColumn, deleteColumn  and modifyColumn operations)

> preModifyColumn and preDeleteColumn in AC denies user to perform its 
> operation though it has required rights
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-12348
>                 URL: https://issues.apache.org/jira/browse/HBASE-12348
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.98.5
>            Reporter: Ashish Singhi
>            Assignee: Ashish Singhi
>             Fix For: 1.0.0, 2.0.0, 0.98.9
>
>         Attachments: HBASE-12348.patch
>
>
> A user with ADMIN and CREATE rights {{only on the column family}} is denied 
> from performing DeleteColumn and ModifyColumn operations on the table.
> also 
> Family name can be added in audit log for addColumn
> {noformat}
> alter 't', 'd2'
> 2014-10-27 20:44:45,635 TRACE 
> SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: 
> Access allowed for user ashish; reason: Table permission granted; remote 
> address: /10.18.40.106; request: addColumn; context: (user=ashish, scope=t, 
> family=, action=ADMIN)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to