[
https://issues.apache.org/jira/browse/HBASE-12536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Purtell updated HBASE-12536:
-----------------------------------
Description:
The current implementation of the AccessController grants users with *GLOBAL*
CREATE or ADMIN privilege implicit write access to the META and ACL tables, so
when a new table is created new entries can be added to META and ACL
appropriately in the pre and post handlers with the credentials supplied in the
RPC context. Although any user with GLOBAL CREATE or ADMIN is already
superuser-like in many respects, the implicit write privilege is an artifact of
implementation that should be changed. We can remove the implicit write access.
After doing so, users with GLOBAL CREATE will not be able to elevate their
privileges unexpectedly through direct access to the ACL table. A GLOBAL ADMIN
will be still correctly be allowed to grant themselves any desired privilege.
This issue was discovered and raised by [~devaraj] on private@hbase as a
potential security issue and was included in the 0.94.24 and 0.98.8 releases
prior to the filing of this JIRA.
I've set the priority of this issue only at 'Major' since it only affects users
with GLOBAL CREATE or ADMIN privilege. GLOBAL ADMIN is already a superuser, and
GLOBAL CREATE likewise should already also be considered superuser-lite access
and sparingly granted to trusted personnel.
was:
The current implementation of the AccessController grants users with *GLOBAL*
CREATE or ADMIN privilege implicit write access to the META and ACL tables, so
when a new table is created new entries can be added to META and ACL
appropriately in the pre and post handlers with the credentials supplied in the
RPC context. Although any user with GLOBAL CREATE or ADMIN is already
superuser-like in many respects, the implicit write privilege is an artifact of
implementation that should be changed. We can remove the implicit write access.
After doing so, users with GLOBAL CREATE will not be able to elevate their
privileges unexpectedly through direct access to the ACL table. A GLOBAL ADMIN
will be still correctly be allowed to grant themselves any desired privilege.
This issue was discovered and raised by [~devaraj] on private@hbase as a
potential security issue and was included in the 0.98.8 release prior to the
filing of this JIRA.
I've set the priority of this issue only at 'Major' since it only affects users
with GLOBAL CREATE or ADMIN privilege. GLOBAL ADMIN is already a superuser, and
GLOBAL CREATE likewise should already also be considered superuser-lite access
and sparingly granted to trusted personnel.
> Reduce the effective scope of GLOBAL CREATE and ADMIN permission
> ----------------------------------------------------------------
>
> Key: HBASE-12536
> URL: https://issues.apache.org/jira/browse/HBASE-12536
> Project: HBase
> Issue Type: Bug
> Components: security
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Fix For: 2.0.0, 0.94.24, 0.98.8, 0.99.2
>
>
> The current implementation of the AccessController grants users with *GLOBAL*
> CREATE or ADMIN privilege implicit write access to the META and ACL tables,
> so when a new table is created new entries can be added to META and ACL
> appropriately in the pre and post handlers with the credentials supplied in
> the RPC context. Although any user with GLOBAL CREATE or ADMIN is already
> superuser-like in many respects, the implicit write privilege is an artifact
> of implementation that should be changed. We can remove the implicit write
> access. After doing so, users with GLOBAL CREATE will not be able to elevate
> their privileges unexpectedly through direct access to the ACL table. A
> GLOBAL ADMIN will be still correctly be allowed to grant themselves any
> desired privilege.
> This issue was discovered and raised by [~devaraj] on private@hbase as a
> potential security issue and was included in the 0.94.24 and 0.98.8 releases
> prior to the filing of this JIRA.
> I've set the priority of this issue only at 'Major' since it only affects
> users with GLOBAL CREATE or ADMIN privilege. GLOBAL ADMIN is already a
> superuser, and GLOBAL CREATE likewise should already also be considered
> superuser-lite access and sparingly granted to trusted personnel.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
