[
https://issues.apache.org/jira/browse/HBASE-11972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14133052#comment-14133052
]
Anoop Sam John commented on HBASE-11972:
----------------------------------------
bq.RPC to go through since the end-user doesn't have write access to the
hbase:acl table...
In AccessController#permissionGranted(String request, User user, Action
permRequest, RegionCoprocessorEnvironment e, Map<byte [], ? extends
Collection<?>> families)
{code}
// Users with CREATE/ADMIN rights need to modify hbase:meta and _acl_ table
// e.g. When a new table is created a new entry in hbase:meta is added,
// so the user need to be allowed to write on it.
// e.g. When a table is removed an entry is removed from hbase:meta and
_acl_
// and the user need to be allowed to write on both tables.
if (permRequest == Action.WRITE &&
(hri.isMetaRegion() ||
Bytes.equals(tableName.getName(), AccessControlLists.ACL_GLOBAL_NAME))
&&
(authManager.authorize(user, Action.CREATE) ||
authManager.authorize(user, Action.ADMIN)))
{
return AuthResult.allow(request, "Table permission granted", user,
permRequest, tableName, families);
}
{code}
Here the table created user (end-user) will be having the global create
permission and the above code won't help??? !!!
> The "doAs user" used in the update to hbase:acl table RPC is incorrect
> ----------------------------------------------------------------------
>
> Key: HBASE-11972
> URL: https://issues.apache.org/jira/browse/HBASE-11972
> Project: HBase
> Issue Type: Bug
> Reporter: Devaraj Das
> Assignee: Devaraj Das
> Priority: Critical
> Fix For: 2.0.0, 0.98.7, 0.99.1
>
> Attachments: 11972-1.txt
>
>
> This is a follow-up to HBASE-11886. I missed one doAs in the patch. We
> discovered the issue in our internal testing with security ON.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
