[jira] [Updated] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization

Wed, 25 Mar 2015 18:19:45 -0700 

     [ 
https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Purtell updated HBASE-13275:
-----------------------------------
    Attachment: HBASE-13275.patch

You'll probably like this patch a lot better. We do more work when installed, 
but maintain audit logging, we simply don't throw AccessDeniedExceptions. We 
also don't wrap scanners, although the audit log will still indicate access 
would be allowed with a filter. 

Ping [~anoop.hbase] and/or [[email protected]] for a check of 
the VC changes if you have a moment.

When looking at the code I noticed the AccessController and 
VisibilityController do different things regarding protecting their meta 
tables. The rule, in my opinion, should be alterations to schema and disabling 
should be disallowed except by the superuser, but I'll file another issue to 
tackle that separately. Bad things will happen if these meta tables are 
damaged, disabled, or dropped. The AC allows it if the user has permission. The 
VC unconditionally disallows it.

> Setting hbase.security.authorization to false does not disable authorization
> ----------------------------------------------------------------------------
>
>                 Key: HBASE-13275
>                 URL: https://issues.apache.org/jira/browse/HBASE-13275
>             Project: HBase
>          Issue Type: Bug
>            Reporter: William Watson
>            Assignee: Andrew Purtell
>             Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13
>
>         Attachments: HBASE-13275.patch, HBASE-13275.patch
>
>
> According to the docs provided by Cloudera (we're not running Cloudera, BTW), 
> this is the list of configs to enable authorization in HBase:
> {code}
> <property>
>      <name>hbase.security.authorization</name>
>      <value>true</value>
> </property>
> <property>
>      <name>hbase.coprocessor.master.classes</name>
>      <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>      <name>hbase.coprocessor.region.classes</name>
>      
> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> {code}
> We wanted to then disable authorization but simply setting 
> hbase.security.authorization to false did not disable the authorization



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to