[
https://issues.apache.org/jira/browse/HBASE-5787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257104#comment-13257104
]
Andrew Purtell commented on HBASE-5787:
---------------------------------------
This seems fine. The initial implementation had the notion of requiring ADMIN
for any table op that has global cluster implications, but then went back and
changed that to allow at least users to create tables if they had CREATE
permission. The delete case seems a bug. All around an area that required
improvement.
> Table owner can't disable/delete its own table
> ----------------------------------------------
>
> Key: HBASE-5787
> URL: https://issues.apache.org/jira/browse/HBASE-5787
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Minor
> Labels: acl, security
> Fix For: 0.92.2, 0.96.0, 0.94.1
>
> Attachments: HBASE-5787-tests-wrong-names.patch, HBASE-5787-v0.patch,
> HBASE-5787-v1.patch
>
>
> An user with CREATE privileges can create a table, but can not disable it,
> because disable operation require ADMIN privileges. Also if a table is
> already disabled, anyone can remove it.
> {code}
> public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> requirePermission(Permission.Action.CREATE);
> }
> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c,
> byte[] tableName) throws IOException {
> /* TODO: Allow for users with global CREATE permission and the table owner
> */
> requirePermission(Permission.Action.ADMIN);
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
