[jira] [Commented] (HBASE-12511) namespace permissions - add support from table creation privilege in a namespace 'C'

Mon, 08 Dec 2014 10:47:40 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-12511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14238233#comment-14238233
 ] 

Huaiyu Zhu commented on HBASE-12511:
------------------------------------

{quote}This one requireGlobalPermission(String request, Action perm, String 
namespace){quote}
This method checks global permission only. It is used to grant/revoke/modifyNS. 
We still need a new requirePermission for NS+global checks.

{quote}Agreed with deleteTable, and possibly others (modify table) etc which 
should be fixed together with createTable.{quote}
There is no need to fix them. When requirePermission("deleteTable", tableName, 
null, null, Action.ADMIN, Action.CREATE) is called in 
preDeleteTable/preModifyTable, it does not only check table permission but also 
checks NS and global ones. This behavior is implemented in different versions 
of authManager.authorize methods.

But create table is different, because before we create the table, the table 
permission does not even exist. We need a requirePermission for 
namespace+global checks. This is the missing function I added in the patch.

{quote}it relies on exception catching for the regular code path, which is 
quite costly. The exception should not be raised in the global check. If at the 
end of global + NS check it fails, only then the exception should be 
thrown.{quote}
Agree, raise an additional exception is unnecessary. Since requirePermission 
checks both global and ns, I just removed the globalRequirePermission.

> namespace permissions - add support from table creation privilege in a 
> namespace 'C'
> ------------------------------------------------------------------------------------
>
>                 Key: HBASE-12511
>                 URL: https://issues.apache.org/jira/browse/HBASE-12511
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Francis Liu
>            Assignee: Huaiyu Zhu
>         Attachments: HBASE-12511.patch, HBASE-12511.patch
>
>
> As discussed in namespace permission Jira. A user granted a 'C' on a 
> namespace enables a user to create tables within the namespace. 'C' on a 
> namespace does not enable a user to create/drop the namespace.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to