[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14235448#comment-14235448 ] Hudson commented on HBASE-12622: SUCCESS: Integrated in HBase-1.0 #543 (See [https://builds.apache.org/job/HBase-1.0/543/]) HBASE-12622 user_permission should require global admin to display global and ns permissions (matteo.bertozzi: rev 398e4f7ccfd821577f36c416db2dc9ed507efe8b) * hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java * hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java * hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch, HBASE-12622-v1.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14235461#comment-14235461 ] Hudson commented on HBASE-12622: FAILURE: Integrated in HBase-0.98 #719 (See [https://builds.apache.org/job/HBase-0.98/719/]) HBASE-12622 user_permission should require global admin to display global and ns permissions (matteo.bertozzi: rev f508f9162f26c08ef8e40e9080eb00c730db55fe) * hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java * hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java * hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch, HBASE-12622-v1.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14235464#comment-14235464 ] Hudson commented on HBASE-12622: FAILURE: Integrated in HBase-TRUNK #5869 (See [https://builds.apache.org/job/HBase-TRUNK/5869/]) HBASE-12622 user_permission should require global admin to display global and ns permissions (matteo.bertozzi: rev c8362a7bb2876e5b4aeb2b979458179b3a650115) * hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java * hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java * hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch, HBASE-12622-v1.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14235542#comment-14235542 ] Hudson commented on HBASE-12622: FAILURE: Integrated in HBase-0.98-on-Hadoop-1.1 #686 (See [https://builds.apache.org/job/HBase-0.98-on-Hadoop-1.1/686/]) HBASE-12622 user_permission should require global admin to display global and ns permissions (matteo.bertozzi: rev f508f9162f26c08ef8e40e9080eb00c730db55fe) * hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java * hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java * hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch, HBASE-12622-v1.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14234167#comment-14234167 ] Anoop Sam John commented on HBASE-12622: +1 for this patch after HBASE-12634 goes in. user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14234170#comment-14234170 ] Ashish Singhi commented on HBASE-12622: --- [~mbertozzi] can we move the test to TestNamespaceCommands, as all the namespace related test are available there and also we can validate for the user with admin rights on namespace is allowed to execute user_permission.? user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14234464#comment-14234464 ] Andrew Purtell commented on HBASE-12622: Ok, thanks [~ashish singhi] user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch, HBASE-12622-v1.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14234533#comment-14234533 ] Srikanth Srungarapu commented on HBASE-12622: - +1 (non-binding). user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch, HBASE-12622-v1.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14235086#comment-14235086 ] Ashish Singhi commented on HBASE-12622: --- v1 looks lgtm too user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch, HBASE-12622-v1.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14232997#comment-14232997 ] Anoop Sam John commented on HBASE-12622: bq.requireGlobalPermission(userPermissions, Action.ADMIN, namespace); Pls check whether this method really checks for the ns level permission given for the user. I have doubt. user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14233030#comment-14233030 ] Ashish Singhi commented on HBASE-12622: --- Yes Anoop you are right. The namespace variable is just being used their for logging, not using it for authorizing. I tested the patch with following scenario, 1. grant 'non-super', 'RWXCA', '@ns' 2.user_permission '@ns' It fails with ADE as there it only checks for global ADMIN permission for user. When I also authorize for namespace, it works fine. That means other five commands using this method to authorize namespace not meeting the developer intention. user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14233049#comment-14233049 ] Anoop Sam John commented on HBASE-12622: Thanks for testing Ashish.. user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14233193#comment-14233193 ] Matteo Bertozzi commented on HBASE-12622: - [~ashish singhi] do you want to open a new jira to fix the requireGlobalPermission(ns) with NS for all the methods that use that? (e.g. grant/revoke/modifyNS/deleteNS/..) user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14233200#comment-14233200 ] Ashish Singhi commented on HBASE-12622: --- Yes I can do that tomorrow morning as per IST zone. user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14233783#comment-14233783 ] Andrew Purtell commented on HBASE-12622: bq. do you want to open a new jira to fix the requireGlobalPermission(ns) with NS for all the methods that use that? (e.g. grant/revoke/modifyNS/deleteNS/..) So this issue is invalid? user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14233883#comment-14233883 ] Ashish Singhi commented on HBASE-12622: --- No Andy, This is still valid. But before this we need to fix the requireGlobalPermission(ns) issue. I will raise a jira and provide a patch as soon as possible. user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14233905#comment-14233905 ] Srikanth Srungarapu commented on HBASE-12622: - My two cents. Going by the discussion in HBASE-9206, specifically bq. 'A' on the namespace does not grant admin privilege - let's document this exception clearly. my understanding is there isn't any support added for namespace admin, so adding support for requireGlobalPermission(ns) is non-trivial/major change, as it needs to be implemented from scratch. Maybe, we can move forward with the global checks for now? user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12622) user_permission should require global admin to display global and ns permissions
[ https://issues.apache.org/jira/browse/HBASE-12622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14233923#comment-14233923 ] Srikanth Srungarapu commented on HBASE-12622: - My bad. TableAuthManager already has the utility methods for verifying the table admin. Thanks [~ashish singhi] for quick followup. user_permission should require global admin to display global and ns permissions Key: HBASE-12622 URL: https://issues.apache.org/jira/browse/HBASE-12622 Project: HBase Issue Type: Bug Components: security Affects Versions: 2.0.0, 0.98.8, 0.99.2 Reporter: Matteo Bertozzi Assignee: Matteo Bertozzi Fix For: 1.0.0, 2.0.0, 0.98.9 Attachments: HBASE-12622-v0.patch user_permission check the user permission only on the table level (requiring at least a table-level admin) global and namespace permission listing is done without checking anything. but only a global admins should be able to perform this operations. -- This message was sent by Atlassian JIRA (v6.3.4#6332)