[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16780051#comment-16780051 ]
Guanghao Zhang commented on HBASE-21481: ---------------------------------------- {code:java} public static boolean isSuperUser(String user) { return superUsers.contains(user) || superGroups.contains(AuthUtil.toGroupEntry(user)); } {code} The user param may already have GROUP_PREFIX? There arleady have a group principal check in AccessChecker#performOnSuperuser method. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > ----------------------------------------------------------------------------------------- > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement > Reporter: Reid Chan > Assignee: Reid Chan > Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)