[jira] [Updated] (RANGER-533) Hbase plugin: if user does not have family-level access to any family in a table then user may be incorrectly denied access done at table/family level during get or scan

Fri, 05 Jun 2015 15:38:42 -0700 

     [ 
https://issues.apache.org/jira/browse/RANGER-533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alok Lal updated RANGER-533:
----------------------------
    Fix Version/s:     (was: 0.5.0)

> Hbase plugin: if user does not have family-level access to any family in a 
> table then user may be incorrectly denied access done at table/family level 
> during get or scan
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-533
>                 URL: https://issues.apache.org/jira/browse/RANGER-533
>             Project: Ranger
>          Issue Type: Bug
>    Affects Versions: 0.4.0
>            Reporter: Alok Lal
>            Assignee: Alok Lal
>
> Consider the following series of hbase shell commands
> {code}
> disable 'tab1'
> drop 'tab1'
> create 'tab1', 'fam1', 'fam2', 'fam3'
> put 'tab1', 'row1', 'fam1:col1', 'fam1-col1-value'
> put 'tab1', 'row1', 'fam1:col2', 'fam1-col2-value'
> put 'tab1', 'row1', 'fam2:col1', 'fam2-col1-value'
> {code}
> Imagine that there are users it1 and it2 both belonging to user group IT.  
> Let's grant them following access:
> {code}
> grant '@IT', 'R', 'tab1', 'fam1', 'col1'
> grant 'it2', 'R', 'tab1', 'fam2'
> {code}
> After this if user it1 does any of the following accesses then user won't get 
> back any rows, even thought we would expect the user to get back 'row1' with 
> data for 'fam1:col1'
> {code}
> scan 'tab1'
> scan 'tab1', 'fam1'
> get 'tab1', 'row1'
> get 'tab1', 'row1', 'fam1'
> {code}
> However, doing the following works as expected.
> {code}
> scan 'tab1', 'fam1', 'col1'
> get 'tab1', 'row1', 'fam1', 'col2'
> {code}
> Further user it2 gets right results when it does the following, i.e. she gets 
> back results from both 'fam1:col1' and 'fam2;col1'
> {code}
> scan 'tab1'
> scan 'tab1', 'fam1'
> get 'tab1', 'row1'
> get 'tab1', 'row1', 'fam1'
> {code}
> This happens because for user it1 (from group IT) there is no column family 
> to which it has family-level access in table 'tab1'.  She only has partial 
> access to 'fam1' and no access to 'fam2'.  Where as while user it2 has 
> partial access to fam1 since she has full access to fam2 the final results 
> are right and include values from both fam1 and fam2.
> Workaround for this issue is to create a dummy family in a table and give 
> full access to that dummy family to all users that otherwise don't full 
> access to any other column family of that table.
> So in the above example if you were to give the following grant then results 
> of user it1 would be corrected:
> {code}
> grant '@IT', 'R', 'tab1', 'fam3'
> {code}
> In practice most often users have family level access so incidents of this 
> issue in the field might be less.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to