[jira] [Comment Edited] (HBASE-13336) Consistent rules for security meta table protections

Wed, 25 Mar 2015 18:57:10 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-13336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14381211#comment-14381211
 ] 

Andrew Purtell edited comment on HBASE-13336 at 3/26/15 1:56 AM:
-----------------------------------------------------------------

The rules, in my opinion, should be:
- Allow adding columns, but only if superuser
- Allow modifying column or table descriptor attributes, but only if superuser
- Unconditionally disallow required column and table drops. If the superuser is 
asking, log a WARN indicating the coprocessors must be removed from config 
first. If the superuser added some column we don't care about and later wants 
to drop it, that would be fine.
- Unconditionally disallow table disable. If the superuser is asking, log a 
WARN indicating the coprocessors must be removed from config first.
- Allow enable (a no-op hopefully) and other admin requests (flush, compaction, 
region move), only if the user has ADMIN privilege (AC) or if superuser (VC)


was (Author: apurtell):
The rules, in my opinion, should be:
- Allow adding columns, but only if superuser
- Allow modifying column or table descriptor attributes, but only if superuser
- Unconditionally disallow column and table drops. If the superuser is asking, 
log a WARN indicating the coprocessors must be removed from config first.
- Unconditionally disallow table disable. If the superuser is asking, log a 
WARN indicating the coprocessors must be removed from config first.
- Allow enable (a no-op hopefully) and other admin requests (flush, compaction, 
region move), only if the user has ADMIN privilege (AC) or if superuser (VC)

> Consistent rules for security meta table protections
> ----------------------------------------------------
>
>                 Key: HBASE-13336
>                 URL: https://issues.apache.org/jira/browse/HBASE-13336
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Andrew Purtell
>
> The AccessController and VisibilityController do different things regarding 
> protecting their meta tables. The AC allows schema changes and disable/enable 
> if the user has permission. The VC unconditionally disallows all admin 
> actions. Generally, bad things will happen if these meta tables are damaged, 
> disabled, or dropped. The likely outcome is random frequent (or constant) 
> server side op failures with nasty stack traces. We should have consistent 
> and sensible rules for protecting security meta tables.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to