[jira] [Commented] (HBASE-10948) Fix hbase table file 'x' mode

Tue, 15 Apr 2014 23:42:46 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-10948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13970500#comment-13970500
 ] 

Jerry He commented on HBASE-10948:
----------------------------------

Hi, [~xieliang007]
You are right.  In a secure HBase instance, we should have more restrictive 
file permission for HBase files.
Currently 'hbase.data.umask.enable' and 'hbase.data.umask' are used on the 
HBase side to control the file permissions. If they are not enabled, we will 
fall to filesystem level, where 'fs.permissions.umask-mode' will kick in.
I also agree we have two options as you mentioned:
1. Change for a more restrictive default permissions when security is enabled. 
Currently if the user does not do explicitly use  'hbase.data.umask' or 
'fs.permissions.umask-mode', we will have everyone '+r' on everything.
2. Document more clearly on file permission setting recommendations. On this 
page. https://hbase.apache.org/book/security.html

> Fix hbase table file 'x' mode
> -----------------------------
>
>                 Key: HBASE-10948
>                 URL: https://issues.apache.org/jira/browse/HBASE-10948
>             Project: HBase
>          Issue Type: Bug
>          Components: Filesystem Integration
>    Affects Versions: 0.96.2, 0.98.1
>            Reporter: Jerry He
>            Assignee: Jerry He
>             Fix For: 0.99.0
>
>         Attachments: HBASE-10948-trunk-v2.patch, HBASE-10948-trunk.patch
>
>
> The hbase table files currently all have 'x' mode in there:
> {code}
> $hadoop fs -ls -R /hbase/data/default/TestTable/
> drwxr-xr-x   - hbase biadmin          0 2014-04-08 20:53 
> /hbase/data/default/TestTable/.tabledesc
> -rw-r--r--   1 hbase biadmin        313 2014-04-08 20:53 
> /hbase/data/default/TestTable/.tabledesc/.tableinfo.0000000001
> drwxr-xr-x   - hbase biadmin          0 2014-04-08 20:53 
> /hbase/data/default/TestTable/724c8c3075da516b450ce4826327ce64
> -rwxr-xr-x   1 hbase biadmin         68 2014-04-08 20:53 
> /hbase/data/default/TestTable/724c8c3075da516b450ce4826327ce64/.regioninfo
> drwxr-xr-x   - hbase biadmin          0 2014-04-08 21:54 
> /hbase/data/default/TestTable/724c8c3075da516b450ce4826327ce64/info
> -rwxr-xr-x   1 hbase biadmin  272958577 2014-04-08 20:53 
> /hbase/data/default/TestTable/724c8c3075da516b450ce4826327ce64/info/7138e61cbcd24538b64726db13dab48e
> -rwxr-xr-x   1 hbase biadmin  108603714 2014-04-08 20:53 
> /hbase/data/default/TestTable/724c8c3075da516b450ce4826327ce64/info/9ce233fcdfde49679797d13f28e26129
> drwxr-xr-x   - hbase biadmin          0 2014-04-08 20:53 
> /hbase/data/default/TestTable/b5350c581363f786e49ff6f32e71f564
> -rwxr-xr-x   1 hbase biadmin         68 2014-04-08 20:53 
> /hbase/data/default/TestTable/b5350c581363f786e49ff6f32e71f564/.regioninfo
> drwxr-xr-x   - hbase biadmin          0 2014-04-08 21:54 
> /hbase/data/default/TestTable/b5350c581363f786e49ff6f32e71f564/info
> -rwxr-xr-x   1 hbase biadmin   33800049 2014-04-08 21:54 
> /hbase/data/default/TestTable/b5350c581363f786e49ff6f32e71f564/info/576190de431341b9a02280654e3deb58
> -rwxr-xr-x   1 hbase biadmin  108650474 2014-04-08 20:53 
> /hbase/data/default/TestTable/b5350c581363f786e49ff6f32e71f564/info/7c54098fb62a4ef29aab0f5658b25260
> {code}
> If the user does not specify 'hbase.data.umask', we use the fs default:
> FsPermission.getDefault()
> Instead we should use FsPermission.getFileDefault().



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to