[ https://issues.apache.org/jira/browse/HBASE-7367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13534976#comment-13534976 ]
Andrew Purtell commented on HBASE-7367: --------------------------------------- {quote} requirePermission(Permission.Action.ADMIN) instead of the UnsupportedOperationException. If tested it, and the behaviour is the one Andrew described (thank you). Only the creator can read/write to the table. {quote} Thanks! Looks like you attached a patch for HBASE-7365 though. :-) {quote} Only a GLOBAL ADMIN can take a snapshot, restore or clone a table. In the restore case, if there're ACLs they are preserved, if there's nothing related to the table, only the admin can read/write to table. In the clone case, there're no rights in the table, and the admin should assign the new ones needed.{quote} [~mbertozzi] and [~jmhsieh]: +1 here on these semantics. I can take this forward on HBASE-6222. No need to deal with more until then. We need to do more once there's something committable on HBASE-6222 because per cell ACLs, either if stored inline KV tags or in a "shadow family", would be propagated by a snapshot clone or restore. It would be a complete mess if somehow the AccessController does not also handle table and CF level permissions in the context of snapshots. I'll run an implementation proposal by you when we've reached this point and we can discuss it then. How does that sound? > Snapshot coprocessor and ACL security > ------------------------------------- > > Key: HBASE-7367 > URL: https://issues.apache.org/jira/browse/HBASE-7367 > Project: HBase > Issue Type: Sub-task > Components: Client, master, regionserver, snapshots, Zookeeper > Reporter: Matteo Bertozzi > Assignee: Matteo Bertozzi > Priority: Minor > Fix For: hbase-6055, 0.96.0 > > Attachments: HBASE-7365-v1.patch, HBASE-7367-v0.patch > > > Currently snapshot don't care about ACL... > and in the first draft snapshots should be disabled if the ACL coprocessor is > enabled. > After the first step, we can discuss how to handle the snapshot/restore/clone. > Is saving and restoring the _acl_ related rights, the right way? maybe after > 3 months we don't want to give the access the guys listed in the old _acl_... -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira