[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not able to call some admin APIs

Wed, 23 May 2012 07:20:42 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13281624#comment-13281624
 ] 

Laxman commented on HBASE-6068:
-------------------------------

bq. #2 is due to the wrong check in AC (AccessController). Handled as part of 
HBASE-6061.

Gone through the HBASE-6061 patch. It addresses a different problem. We 
actually need to check for table permissions instead of global permissions here.

{code}
+  private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
+      byte[] tableName) throws IOException {
+    if (isActiveUserTableOwner(e, tableName)) {
+      requirePermission(Permission.Action.CREATE);
+    } else {
+      requirePermission(Permission.Action.ADMIN);
+    }
+  }
{code}

I think this needs to be handled as separate jira.
                
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
>                 Key: HBASE-6068
>                 URL: https://issues.apache.org/jira/browse/HBASE-6068
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.94.0
>            Reporter: Anoop Sam John
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by 
> providing the global read permissions to all for certain nodes. These nodes 
> are the master address znode, root server znode and the clusterId znode. In 
> ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into 
> the zookeeper from the client. This include the isTableEnabled() call (May be 
> some other. I have seen this).  Here the client directly reads a node in the 
> zookeeper ( node created for this table ) and the data is matched to know 
> whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs 
> for its normal operation like the master address and root server address.  
> But what if the client calls this API? [isTableEnaled () ].

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to