[
https://issues.apache.org/jira/browse/HBASE-14809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ted Yu updated HBASE-14809:
---------------------------
Attachment: 14809-v1.txt
Something like this ?
> Namespace permission granted to group
> --------------------------------------
>
> Key: HBASE-14809
> URL: https://issues.apache.org/jira/browse/HBASE-14809
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.2
> Reporter: Steven Hancz
> Attachments: 14809-v1.txt
>
>
> Hi,
> We are looking to roll out HBase and are in the process to design the
> security model.
> We are looking to implement global DBAs and Namespace specific
> administrators.
> So for example the global dba would create a namespace and grant a user/group
> admin privileges within that ns.
> So that a given ns admin can in turn create objects and grant permission
> within the given ns only.
> We have run into some issues at the ns admin level. It appears that a ns
> admin can NOT grant to a grop unless it also has global admin privilege. But
> once it has global admin privilege it can grant in any NS not just the one
> where it has admin privileges.
> Based on the HBase documentation at
> http://hbase.apache.org/book.html#appendix_acl_matrix
> Table 13. ACL Matrix
> Interface Operation Permissions
> AccessController grant(global level) global(A)
> grant(namespace level) global(A)|NS(A)
> grant at a namespace level should be possible for someone with global A OR
> (|) NS A permission.
> As you will see in our test it does not work if NS A permission is granted
> but global A permission is not.
> Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1.
> hbase(main):011:0> scan 'hbase:acl'
> ROW COLUMN+CELL
> @ns1 column=l:@hbaseappltest_ns1admin, timestamp=1446676679787, value=XCA
> However:
> Here you can see that a user who is member of the group
> hbaseappltest_ns1admin can not grant a WRX privilege to a group as it is
> missing global A privilege.
> $hbase shell
> 15/11/13 10:02:23 INFO Configuration.deprecation: hadoop.native.lib is
> deprecated. Instead, use io.native.lib.available
> HBase Shell; enter 'help<RETURN>' for list of supported commands.
> Type "exit<RETURN>" to leave the HBase Shell
> Version 1.0.0-cdh5.4.7, rUnknown, Thu Sep 17 02:25:03 PDT 2015
> hbase(main):001:0> whoami
> ns1ad...@wlab.net (auth:KERBEROS)
> groups: hbaseappltest_ns1admin
> hbase(main):002:0> grant '@hbaseappltest_ns1funct' ,'RWX','@ns1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions for user 'ns1admin' (global, action=ADMIN)
> The way I read the documentation a NS admin should be able to grant as it has
> ns level A privilege not only object level permission.
> CDH is a version 5.4.7 and Hbase is version 1.0.
> Regards,
> Steven
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
