[
https://issues.apache.org/jira/browse/HBASE-11791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14123576#comment-14123576
]
Andrew Purtell commented on HBASE-11791:
----------------------------------------
{quote}
bq. Users with Create or Admin permissions are granted Write permission on meta
regions, so the table operations they are allowed to perform can complete, even
if technically the bits can be granted separately in any possible combination.
if this is true, seems a bug/missing check. Only "hbase" should be able to
write to META. Allowing other user to edit META seems a bad thing, even when
you are using hbck you must run as hbase.
{quote}
Yeah I don't think this is right. Users are granted read permissions on META
because all clients need to consult it for locating regions. Writes to META are
only done by HBase daemons. They may make those writes on behalf of user
initiated actions (which themselves can be restricted by ACLs) but the users
themselves are not making those writes.
If somehow we are allowing any user to write to META that is a missing check
that needs to be fixed
> Update docs on visibility tags and ACLs, transparent encryption, secure bulk
> upload
> -----------------------------------------------------------------------------------
>
> Key: HBASE-11791
> URL: https://issues.apache.org/jira/browse/HBASE-11791
> Project: HBase
> Issue Type: Task
> Components: documentation
> Reporter: Misty Stanley-Jones
> Assignee: Misty Stanley-Jones
> Attachments: HBASE-11791-v1.patch, HBASE-11791-v2.patch, HBase
> Security Features Operators Guide - HBaseCon 2014 - v5.pptx
>
>
> Do a pass on the ACL and tag docs and make sure they are up to date and
> accurate, expand to cover HBASE-10885, HBASE-11001, HBASE-11002, HBASE-11434
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
