[
https://issues.apache.org/jira/browse/HBASE-5352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Purtell resolved HBASE-5352.
-----------------------------------
Resolution: Fixed
Assignee: (was: Enis Soztutar)
This umbrella has seen it's day. Will spin out still relevant unfinished
subtasks to top level issues.
> ACL improvements
> ----------------
>
> Key: HBASE-5352
> URL: https://issues.apache.org/jira/browse/HBASE-5352
> Project: HBase
> Issue Type: Improvement
> Components: security
> Affects Versions: 0.92.1, 0.94.0
> Reporter: Enis Soztutar
>
> In this issue I would like to open discussion for a few minor ACL related
> improvements. The proposed changes are as follows:
> 1. Introduce something like
> AccessControllerProtocol.checkPermissions(Permission[] permissions) API, so
> that clients can check access rights before carrying out the operations. We
> need this kind of operation for HCATALOG-245, which introduces authorization
> providers for hbase over hcat. We cannot use getUserPermissions() since it
> requires ADMIN permissions on the global/table level.
> 2. getUserPermissions(tableName)/grant/revoke and drop/modify table
> operations should not check for global CREATE/ADMIN rights, but table
> CREATE/ADMIN rights. The reasoning is that if a user is able to admin or read
> from a table, she should be able to read the table's permissions. We can
> choose whether we want only READ or ADMIN permissions for
> getUserPermission(). Since we check for global permissions first for table
> permissions, configuring table access using global permissions will continue
> to work.
> 3. Grant/Revoke global permissions - HBASE-5342 (included for completeness)
> From all 3, we may want to backport the first one to 0.92 since without it,
> Hive/Hcatalog cannot use Hbase's authorization mechanism effectively.
> I will create subissues and convert HBASE-5342 to a subtask when we get some
> feedback, and opinions for going further.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
