[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x

2013-11-18 Thread Matteo Bertozzi (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Matteo Bertozzi updated HBASE-9973:
---

   Resolution: Fixed
Fix Version/s: 0.98.0
   Status: Resolved  (was: Patch Available)

committed to trunk and 96, thanks for the patch and the reviews!

> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade 
> to 0.96.x from 0.94.x or 0.92.x
> 
>
> Key: HBASE-9973
> URL: https://issues.apache.org/jira/browse/HBASE-9973
> Project: HBase
>  Issue Type: Bug
>  Components: migration, security
>Affects Versions: 0.96.0, 0.96.1
>Reporter: Aleksandr Shulman
>Assignee: Himanshu Vashishtha
>  Labels: acl
> Fix For: 0.98.0, 0.96.1
>
> Attachments: 9973-v2.patch, 9973-v2.patch, 9973.patch
>
>
> In our testing, we have uncovered that the ACL permissions for users with the 
> 'A' credential do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a 
> permission on the '_acl_' table with permission 'A'. However, because of the 
> namespace transition, there is no longer an '_acl_' table. Therefore, that 
> entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW   COLUMN+CELL 
>   
>  TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW
>   
>  TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA  
>   
>  _acl_column=l:root, timestamp=1384454767568, value=C 
>   
>  _acl_column=l:tableAdmin, timestamp=1384454788035, value=A   
>   
>  hbase:aclcolumn=l:root, timestamp=1384455875786, value=C 
>   
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_column=l:tableAdmin, timestamp=1384454788035, 
> value=A {code}
> As a result, 
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration, 
> change any entries in the '_acl_' table with key '_acl_' into a new row with 
> key 'hbase:acl', all else being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x

2013-11-18 Thread Himanshu Vashishtha (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Himanshu Vashishtha updated HBASE-9973:
---

Component/s: migration

> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade 
> to 0.96.x from 0.94.x or 0.92.x
> 
>
> Key: HBASE-9973
> URL: https://issues.apache.org/jira/browse/HBASE-9973
> Project: HBase
>  Issue Type: Bug
>  Components: migration, security
>Affects Versions: 0.96.0, 0.96.1
>Reporter: Aleksandr Shulman
>Assignee: Himanshu Vashishtha
>  Labels: acl
> Fix For: 0.96.1
>
> Attachments: 9973-v2.patch, 9973-v2.patch, 9973.patch
>
>
> In our testing, we have uncovered that the ACL permissions for users with the 
> 'A' credential do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a 
> permission on the '_acl_' table with permission 'A'. However, because of the 
> namespace transition, there is no longer an '_acl_' table. Therefore, that 
> entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW   COLUMN+CELL 
>   
>  TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW
>   
>  TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA  
>   
>  _acl_column=l:root, timestamp=1384454767568, value=C 
>   
>  _acl_column=l:tableAdmin, timestamp=1384454788035, value=A   
>   
>  hbase:aclcolumn=l:root, timestamp=1384455875786, value=C 
>   
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_column=l:tableAdmin, timestamp=1384454788035, 
> value=A {code}
> As a result, 
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration, 
> change any entries in the '_acl_' table with key '_acl_' into a new row with 
> key 'hbase:acl', all else being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x

2013-11-18 Thread Himanshu Vashishtha (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Himanshu Vashishtha updated HBASE-9973:
---

Attachment: 9973-v2.patch

> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade 
> to 0.96.x from 0.94.x or 0.92.x
> 
>
> Key: HBASE-9973
> URL: https://issues.apache.org/jira/browse/HBASE-9973
> Project: HBase
>  Issue Type: Bug
>  Components: security
>Affects Versions: 0.96.0, 0.96.1
>Reporter: Aleksandr Shulman
>Assignee: Himanshu Vashishtha
>  Labels: acl
> Fix For: 0.96.1
>
> Attachments: 9973-v2.patch, 9973-v2.patch, 9973.patch
>
>
> In our testing, we have uncovered that the ACL permissions for users with the 
> 'A' credential do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a 
> permission on the '_acl_' table with permission 'A'. However, because of the 
> namespace transition, there is no longer an '_acl_' table. Therefore, that 
> entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW   COLUMN+CELL 
>   
>  TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW
>   
>  TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA  
>   
>  _acl_column=l:root, timestamp=1384454767568, value=C 
>   
>  _acl_column=l:tableAdmin, timestamp=1384454788035, value=A   
>   
>  hbase:aclcolumn=l:root, timestamp=1384455875786, value=C 
>   
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_column=l:tableAdmin, timestamp=1384454788035, 
> value=A {code}
> As a result, 
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration, 
> change any entries in the '_acl_' table with key '_acl_' into a new row with 
> key 'hbase:acl', all else being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x

2013-11-18 Thread Himanshu Vashishtha (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Himanshu Vashishtha updated HBASE-9973:
---

Attachment: 9973-v2.patch

> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade 
> to 0.96.x from 0.94.x or 0.92.x
> 
>
> Key: HBASE-9973
> URL: https://issues.apache.org/jira/browse/HBASE-9973
> Project: HBase
>  Issue Type: Bug
>  Components: security
>Affects Versions: 0.96.0, 0.96.1
>Reporter: Aleksandr Shulman
>Assignee: Himanshu Vashishtha
>  Labels: acl
> Fix For: 0.96.1
>
> Attachments: 9973-v2.patch, 9973.patch
>
>
> In our testing, we have uncovered that the ACL permissions for users with the 
> 'A' credential do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a 
> permission on the '_acl_' table with permission 'A'. However, because of the 
> namespace transition, there is no longer an '_acl_' table. Therefore, that 
> entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW   COLUMN+CELL 
>   
>  TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW
>   
>  TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA  
>   
>  _acl_column=l:root, timestamp=1384454767568, value=C 
>   
>  _acl_column=l:tableAdmin, timestamp=1384454788035, value=A   
>   
>  hbase:aclcolumn=l:root, timestamp=1384455875786, value=C 
>   
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_column=l:tableAdmin, timestamp=1384454788035, 
> value=A {code}
> As a result, 
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration, 
> change any entries in the '_acl_' table with key '_acl_' into a new row with 
> key 'hbase:acl', all else being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x

2013-11-16 Thread Himanshu Vashishtha (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Himanshu Vashishtha updated HBASE-9973:
---

Status: Patch Available  (was: Open)

> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade 
> to 0.96.x from 0.94.x or 0.92.x
> 
>
> Key: HBASE-9973
> URL: https://issues.apache.org/jira/browse/HBASE-9973
> Project: HBase
>  Issue Type: Bug
>  Components: security
>Affects Versions: 0.96.0, 0.96.1
>Reporter: Aleksandr Shulman
>Assignee: Himanshu Vashishtha
>  Labels: acl
> Fix For: 0.96.1
>
> Attachments: 9973.patch
>
>
> In our testing, we have uncovered that the ACL permissions for users with the 
> 'A' credential do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a 
> permission on the '_acl_' table with permission 'A'. However, because of the 
> namespace transition, there is no longer an '_acl_' table. Therefore, that 
> entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW   COLUMN+CELL 
>   
>  TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW
>   
>  TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA  
>   
>  _acl_column=l:root, timestamp=1384454767568, value=C 
>   
>  _acl_column=l:tableAdmin, timestamp=1384454788035, value=A   
>   
>  hbase:aclcolumn=l:root, timestamp=1384455875786, value=C 
>   
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_column=l:tableAdmin, timestamp=1384454788035, 
> value=A {code}
> As a result, 
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration, 
> change any entries in the '_acl_' table with key '_acl_' into a new row with 
> key 'hbase:acl', all else being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x

2013-11-16 Thread Himanshu Vashishtha (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Himanshu Vashishtha updated HBASE-9973:
---

Attachment: 9973.patch

> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade 
> to 0.96.x from 0.94.x or 0.92.x
> 
>
> Key: HBASE-9973
> URL: https://issues.apache.org/jira/browse/HBASE-9973
> Project: HBase
>  Issue Type: Bug
>  Components: security
>Affects Versions: 0.96.0, 0.96.1
>Reporter: Aleksandr Shulman
>Assignee: Himanshu Vashishtha
>  Labels: acl
> Fix For: 0.96.1
>
> Attachments: 9973.patch
>
>
> In our testing, we have uncovered that the ACL permissions for users with the 
> 'A' credential do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a 
> permission on the '_acl_' table with permission 'A'. However, because of the 
> namespace transition, there is no longer an '_acl_' table. Therefore, that 
> entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW   COLUMN+CELL 
>   
>  TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW
>   
>  TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA  
>   
>  _acl_column=l:root, timestamp=1384454767568, value=C 
>   
>  _acl_column=l:tableAdmin, timestamp=1384454788035, value=A   
>   
>  hbase:aclcolumn=l:root, timestamp=1384455875786, value=C 
>   
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_column=l:tableAdmin, timestamp=1384454788035, 
> value=A {code}
> As a result, 
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration, 
> change any entries in the '_acl_' table with key '_acl_' into a new row with 
> key 'hbase:acl', all else being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x

2013-11-14 Thread Aleksandr Shulman (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Aleksandr Shulman updated HBASE-9973:
-

Assignee: Himanshu Vashishtha

> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade 
> to 0.96.x from 0.94.x or 0.92.x
> 
>
> Key: HBASE-9973
> URL: https://issues.apache.org/jira/browse/HBASE-9973
> Project: HBase
>  Issue Type: Bug
>  Components: security
>Affects Versions: 0.96.0, 0.96.1
>Reporter: Aleksandr Shulman
>Assignee: Himanshu Vashishtha
>  Labels: acl
> Fix For: 0.96.1
>
>
> In our testing, we have uncovered that the ACL permissions for users with the 
> 'A' credential do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a 
> permission on the '_acl_' table with permission 'A'. However, because of the 
> namespace transition, there is no longer an '_acl_' table. Therefore, that 
> entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW   COLUMN+CELL 
>   
>  TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW
>   
>  TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA  
>   
>  _acl_column=l:root, timestamp=1384454767568, value=C 
>   
>  _acl_column=l:tableAdmin, timestamp=1384454788035, value=A   
>   
>  hbase:aclcolumn=l:root, timestamp=1384455875786, value=C 
>   
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_column=l:tableAdmin, timestamp=1384454788035, 
> value=A {code}
> As a result, 
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration, 
> change any entries in the '_acl_' table with key '_acl_' into a new row with 
> key 'hbase:acl', all else being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x

2013-11-14 Thread Aleksandr Shulman (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Aleksandr Shulman updated HBASE-9973:
-

Labels: acl  (was: )

> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade 
> to 0.96.x from 0.94.x or 0.92.x
> 
>
> Key: HBASE-9973
> URL: https://issues.apache.org/jira/browse/HBASE-9973
> Project: HBase
>  Issue Type: Bug
>  Components: security
>Affects Versions: 0.96.0, 0.96.1
>Reporter: Aleksandr Shulman
>  Labels: acl
> Fix For: 0.96.1
>
>
> In our testing, we have uncovered that the ACL permissions for users with the 
> 'A' credential do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a 
> permission on the '_acl_' table with permission 'A'. However, because of the 
> namespace transition, there is no longer an '_acl_' table. Therefore, that 
> entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW   COLUMN+CELL 
>   
>  TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW
>   
>  TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA  
>   
>  _acl_column=l:root, timestamp=1384454767568, value=C 
>   
>  _acl_column=l:tableAdmin, timestamp=1384454788035, value=A   
>   
>  hbase:aclcolumn=l:root, timestamp=1384455875786, value=C 
>   
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_column=l:tableAdmin, timestamp=1384454788035, 
> value=A {code}
> As a result, 
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration, 
> change any entries in the '_acl_' table with key '_acl_' into a new row with 
> key 'hbase:acl', all else being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)