[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13281624#comment-13281624 ]
Laxman commented on HBASE-6068: ------------------------------- bq. #2 is due to the wrong check in AC (AccessController). Handled as part of HBASE-6061. Gone through the HBASE-6061 patch. It addresses a different problem. We actually need to check for table permissions instead of global permissions here. {code} + private void requireTableAdminPermission(MasterCoprocessorEnvironment e, + byte[] tableName) throws IOException { + if (isActiveUserTableOwner(e, tableName)) { + requirePermission(Permission.Action.CREATE); + } else { + requirePermission(Permission.Action.ADMIN); + } + } {code} I think this needs to be handled as separate jira. > Secure HBase cluster : Client not able to call some admin APIs > -------------------------------------------------------------- > > Key: HBASE-6068 > URL: https://issues.apache.org/jira/browse/HBASE-6068 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 0.94.0 > Reporter: Anoop Sam John > > In case of secure cluster, we allow the HBase clients to read the zk nodes by > providing the global read permissions to all for certain nodes. These nodes > are the master address znode, root server znode and the clusterId znode. In > ZKUtil.createACL() , we can see these node names are specially handled. > But there are some other client side admin APIs which makes a read call into > the zookeeper from the client. This include the isTableEnabled() call (May be > some other. I have seen this). Here the client directly reads a node in the > zookeeper ( node created for this table ) and the data is matched to know > whether this is enabled or not. > Now in secure cluster case any client can read zookeeper nodes which it needs > for its normal operation like the master address and root server address. > But what if the client calls this API? [isTableEnaled () ]. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira