[jira] [Commented] (HBASE-9206) namespace permissions

Fri, 16 Aug 2013 08:59:32 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-9206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13742337#comment-13742337
 ] 

Andrew Purtell commented on HBASE-9206:
---------------------------------------

bq. Tho I don't want namespace 'A' to permit namespace metadata manipulation as 
that's where we'll store quota information. So if we only allow global 'A' to 
manipulate namespace metadata then we're set?

+1

In which case seems no separate permission for metadata is needed now.

To summarize current discussion:

- 'RWXCA' on the namespace dominates permissions for tables and CFs in the 
namespace.

- 'C' on the namespace also allows table creation in the namespace.

- 'A' on the namespace does not grant admin privilege - let's document this 
exception clearly.

- Global permissions 'A' and 'C' dominate namespace perms and also grant admin 
and create perms on the namespace itself. 

- The AccessController should filter out tables for which the user doesn't have 
privilege when enumerating descriptors for the list table names APIs. We ignore 
cell level perms when deciding.

That right?
                
> namespace permissions
> ---------------------
>
>                 Key: HBASE-9206
>                 URL: https://issues.apache.org/jira/browse/HBASE-9206
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Francis Liu
>
> Now that we have namespaces let's address how we can give admins more 
> flexibility.
> Let's list out the privileges we'd like. Then we can map it to existing 
> privileges and see if we need more. 
> So far we have:
> 1. Modify namespace descriptor (ie quota, other values)
> 2. create namespace
> 3. delete namespace
> 4. list tables in namespace
> 5. create/drop tables in a namespace
> 6. All namespace's tables create
> 7. All namespace's tables write
> 8. All namespace's tables execute
> 9. All namespace's tables delete
> 10. All namespace's tables admin
> 1-3, is currently set to global admin only. Which seems acceptable to me.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to