[jira] [Commented] (HBASE-14265) we should forbid creating table using 'hbase' namespace except by superuser

Tue, 01 Sep 2015 19:41:45 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-14265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14726637#comment-14726637
 ] 

Andrew Purtell commented on HBASE-14265:
----------------------------------------

bq. So the test cluster still try to create 'ACL' table under 'hbase' NS. But 
as our logic , it is forbidden....

The user running the test is the effective superuser, so that shouldn't happen, 
right?

The setupBeforeClass method of both of these tests calls 
SecureTestUtil#enableSecurity, which calls SecureTestUtil#configureSuperuser, 
which does:
{code}
  public static void configureSuperuser(Configuration conf) throws IOException {
    // The secure minicluster creates separate service principals based on the
    // current user's name, one for each slave. We need to add all of these to
    // the superuser list or security won't function properly. We expect the
    // HBase service account(s) to have superuser privilege.
    String currentUser = User.getCurrent().getName();
    StringBuffer sb = new StringBuffer();
    sb.append("admin,");
    sb.append(currentUser);
    // Assumes we won't ever have a minicluster with more than 5 slaves
    for (int i = 0; i < 5; i++) {
      sb.append(',');
      sb.append(currentUser); sb.append(".hfs."); sb.append(i);
    }
    conf.set("hbase.superuser", sb.toString());
  }
{code}


> we should forbid creating table using 'hbase' namespace except by superuser
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-14265
>                 URL: https://issues.apache.org/jira/browse/HBASE-14265
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Heng Chen
>            Assignee: Heng Chen
>         Attachments: HBASE-14265.patch, HBASE-14265_v2.patch, 
> HBASE-14265_v3.patch, HBASE-14265_v4.patch
>
>
> Now, there is no limit for users who can create table under 'hbase' 
> NameSpace. I think it has some risk.
> Because we use {{TableName.systemTable}} to decide whether this table is 
> System or not.
> But as code,  {{TableName.systemTable}} will be true, if NS equals "hbase'
> {code}
>  if (Bytes.equals(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME, namespace)) {
>         this.namespace = NamespaceDescriptor.SYSTEM_NAMESPACE_NAME;
>         this.namespaceAsString = 
> NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR;
>         this.systemTable = true;
>       } 
> {code}
>  
> And we treat system table and normal table differently. 
> For example,  https://issues.apache.org/jira/browse/HBASE-14257 will flush 
> fast if table belong to system table.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to