[
https://issues.apache.org/jira/browse/HBASE-8409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13737406#comment-13737406
]
Francis Liu commented on HBASE-8409:
------------------------------------
{quote}
I was wondering if it would be possible to change this bit of logic on
namespace grants from a test for WRITE to a test for CREATE or (CREATE|ADMIN).
In your administrative model, is there such a thing as namespace ADMIN or a
user with privilege to CREATE in the namespace only?
{quote}
Might be reading this wrong. But that's what the test for namespace write
privilege was for. Namespace write privilege allows the user to create tables
within the namespace only.
> Security support for namespaces
> -------------------------------
>
> Key: HBASE-8409
> URL: https://issues.apache.org/jira/browse/HBASE-8409
> Project: HBase
> Issue Type: Sub-task
> Reporter: Francis Liu
> Assignee: Vandana Ayyalasomayajula
> Priority: Blocker
> Fix For: 0.98.0, 0.95.2
>
> Attachments: HBASE-8049_trunk.patch, HBASE-8409_2.patch,
> HBASE-8409_3.patch, TestNamespaceUpgrade.tgz
>
>
> This task adds the security piece to the namespace feature. The work related
> to migration of the existing acl table to the new namespace is remaining and
> will be completed in the follow up patch. Permissions can be granted to a
> namespace by the hbase admin, by appending '@' to the namespace name. A user
> with write or admin permissions on a given namespace can create tables in
> that namespace. The other privileges (R, X, C ) do not have any special
> meaning w.r.t namespaces. Any users of hbase can list tables in a namespace.
>
> The following commands can only be executed by HBase admins.
> 1. Grant privileges for user on Namespace.
> 2. Revoke privileges for user on Namespace
> Grant Command:
> hbase> grant 'tenant-A' 'W' '@N1'
> In the above example, the command will grant the user 'tenant-A' write
> privileges for a namespace named "N1".
> Revoke Command:
> hbase> revoke 'tenant-A''@N1'
> In the above example, the command will revoke all privileges from user
> 'tenant-A' for namespace named "N1".
> Lets see an example on how privileges work with namespaces.
>
> User "Mike" request for a namespace named "hbase_perf" with the hbase admin.
> whoami: hbase
> hbase shell >> namespace_create 'hbase_perf'
> hbase shell >> grant 'mike', 'W', '@hbase_perf'
> Mike creates two tables "table20" and "table50" in the above workspace.
> whoami: mike
> hbase shell >> create 'hbase_perf.table20', 'family1'
> hbase shell >> create 'hbase_perf.table50', 'family1'
> Note: As Mike was able to create tables 'hbase_perf.table20',
> 'hbase_perf.table50', he becomes the owner of those tables.
> This means he has "RWXCA" perms on those tables.
> Another team member of Mike, Alice wants also to share the same workspace
> "hbase_perf". HBase admin grants Alice also permission to create tables in
> "hbase_perf" namespace.
> whoami: hbase
> hbase shell >> grant 'alice', 'W', '@hbase_perf'
> Now Alice can create new tables under "hbase_perf" namespace, but cannot
> read,write,alter,delete existing tables in the namespace.
>
> whoami: alice
> hbase shell >> namespace_list_tables 'hbase_perf'
> hbase_perf.table20
> hbase_perf.table50
> hbase shell >> scan 'hbase_perf.table20'
> AccessDeniedException
>
> If Alice wants to read or write to existing tables in the "hbase_perf"
> namespace, hbase admins need to explicitly grant permission.
>
> whoami: hbase
> hbase shell >> grant 'alice', 'RW', 'hbase_perf.table20'
> hbase shell >> grant 'alice', 'RW', 'hbase_perf.table50'
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
