[
https://issues.apache.org/jira/browse/RANGER-533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alok Lal updated RANGER-533:
----------------------------
Description:
Consider the following series of hbase shell commands
{code}
disable 'tab1'
drop 'tab1'
create 'tab1', 'fam1', 'fam2', 'fam3'
put 'tab1', 'row1', 'fam1:col1', 'fam1-col1-value'
put 'tab1', 'row1', 'fam1:col2', 'fam1-col2-value'
put 'tab1', 'row1', 'fam2:col1', 'fam2-col1-value'
{code}
Imagine that there are users it1 and it2 both belonging to user group IT.
Let's grant them following access:
{code}
grant '@IT', 'R', 'tab1', 'fam1', 'col1'
grant 'it2', 'R', 'tab1', 'fam2'
{code}
After this if user it1 does any of the following accesses then user won't get
back any rows, even thought we would expect the user to get back 'row1' with
data for 'fam1:col1'
{code}
scan 'tab1'
scan 'tab1', COLUMNS { 'fam1' }
get 'tab1', 'row1'
get 'tab1', 'row1', 'fam1'
{code}
However, doing the following works as expected.
{code}
scan 'tab1', COLUMNS { 'fam1:col1'' }
get 'tab1', 'row1', 'fam1:col2'
{code}
Further user it2 gets right results when it does the following, i.e. she gets
back results from both 'fam1:col1' and 'fam2;col1'
{code}
scan 'tab1'
scan 'tab1', COLUMNS { 'fam1' }
get 'tab1', 'row1'
get 'tab1', 'row1', 'fam1'
{code}
This happens because for user it1 (from group IT) there is no column family to
which it has family-level access in table 'tab1'. She only has partial access
to 'fam1' and no access to 'fam2'. Where as while user it2 has partial access
to fam1 since she has full access to fam2 the final results are right and
include values from both fam1 and fam2.
Workaround for this issue is to create a dummy family in a table and give full
access to that dummy family to all users that otherwise don't full access to
any other column family of that table.
So in the above example if you were to give the following grant then results of
user it1 would be corrected:
{code}
grant '@IT', 'R', 'tab1', 'fam3'
{code}
In practice most often users have family level access so incidents of this
issue in the field might be less.
was:
Consider the following series of hbase shell commands
{code}
disable 'tab1'
drop 'tab1'
create 'tab1', 'fam1', 'fam2', 'fam3'
put 'tab1', 'row1', 'fam1:col1', 'fam1-col1-value'
put 'tab1', 'row1', 'fam1:col2', 'fam1-col2-value'
put 'tab1', 'row1', 'fam2:col1', 'fam2-col1-value'
{code}
Imagine that there are users it1 and it2 both belonging to user group IT.
Let's grant them following access:
{code}
grant '@IT', 'R', 'tab1', 'fam1', 'col1'
grant 'it2', 'R', 'tab1', 'fam2'
{code}
After this if user it1 does any of the following accesses then user won't get
back any rows, even thought we would expect the user to get back 'row1' with
data for 'fam1:col1'
{code}
scan 'tab1'
scan 'tab1', 'fam1'
get 'tab1', 'row1'
get 'tab1', 'row1', 'fam1'
{code}
However, doing the following works as expected.
{code}
scan 'tab1', 'fam1', 'col1'
get 'tab1', 'row1', 'fam1', 'col2'
{code}
Further user it2 gets right results when it does the following, i.e. she gets
back results from both 'fam1:col1' and 'fam2;col1'
{code}
scan 'tab1'
scan 'tab1', 'fam1'
get 'tab1', 'row1'
get 'tab1', 'row1', 'fam1'
{code}
This happens because for user it1 (from group IT) there is no column family to
which it has family-level access in table 'tab1'. She only has partial access
to 'fam1' and no access to 'fam2'. Where as while user it2 has partial access
to fam1 since she has full access to fam2 the final results are right and
include values from both fam1 and fam2.
Workaround for this issue is to create a dummy family in a table and give full
access to that dummy family to all users that otherwise don't full access to
any other column family of that table.
So in the above example if you were to give the following grant then results of
user it1 would be corrected:
{code}
grant '@IT', 'R', 'tab1', 'fam3'
{code}
In practice most often users have family level access so incidents of this
issue in the field might be less.
> Hbase plugin: if user does not have family-level access to any family in a
> table then user may be incorrectly denied access done at table/family level
> during get or scan
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-533
> URL: https://issues.apache.org/jira/browse/RANGER-533
> Project: Ranger
> Issue Type: Bug
> Affects Versions: 0.4.0
> Reporter: Alok Lal
> Assignee: Alok Lal
>
> Consider the following series of hbase shell commands
> {code}
> disable 'tab1'
> drop 'tab1'
> create 'tab1', 'fam1', 'fam2', 'fam3'
> put 'tab1', 'row1', 'fam1:col1', 'fam1-col1-value'
> put 'tab1', 'row1', 'fam1:col2', 'fam1-col2-value'
> put 'tab1', 'row1', 'fam2:col1', 'fam2-col1-value'
> {code}
> Imagine that there are users it1 and it2 both belonging to user group IT.
> Let's grant them following access:
> {code}
> grant '@IT', 'R', 'tab1', 'fam1', 'col1'
> grant 'it2', 'R', 'tab1', 'fam2'
> {code}
> After this if user it1 does any of the following accesses then user won't get
> back any rows, even thought we would expect the user to get back 'row1' with
> data for 'fam1:col1'
> {code}
> scan 'tab1'
> scan 'tab1', COLUMNS { 'fam1' }
> get 'tab1', 'row1'
> get 'tab1', 'row1', 'fam1'
> {code}
> However, doing the following works as expected.
> {code}
> scan 'tab1', COLUMNS { 'fam1:col1'' }
> get 'tab1', 'row1', 'fam1:col2'
> {code}
> Further user it2 gets right results when it does the following, i.e. she gets
> back results from both 'fam1:col1' and 'fam2;col1'
> {code}
> scan 'tab1'
> scan 'tab1', COLUMNS { 'fam1' }
> get 'tab1', 'row1'
> get 'tab1', 'row1', 'fam1'
> {code}
> This happens because for user it1 (from group IT) there is no column family
> to which it has family-level access in table 'tab1'. She only has partial
> access to 'fam1' and no access to 'fam2'. Where as while user it2 has
> partial access to fam1 since she has full access to fam2 the final results
> are right and include values from both fam1 and fam2.
> Workaround for this issue is to create a dummy family in a table and give
> full access to that dummy family to all users that otherwise don't full
> access to any other column family of that table.
> So in the above example if you were to give the following grant then results
> of user it1 would be corrected:
> {code}
> grant '@IT', 'R', 'tab1', 'fam3'
> {code}
> In practice most often users have family level access so incidents of this
> issue in the field might be less.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
