[jira] [Created] (HBASE-14809) Namespace permission granted to group

Fri, 13 Nov 2015 12:11:39 -0800 

Steven Hancz created HBASE-14809:
------------------------------------

             Summary: Namespace permission granted to group 
                 Key: HBASE-14809
                 URL: https://issues.apache.org/jira/browse/HBASE-14809
             Project: HBase
          Issue Type: Bug
          Components: security
    Affects Versions: 1.0.2
            Reporter: Steven Hancz


Hi, 

We are looking to roll out HBase and are in the process to design the security 
model. 
We are looking to implement global DBAs and Namespace specific administrators. 
So for example the global dba would create a namespace and grant a user/group 
admin privileges within that ns. 
So that a given ns admin can in turn create objects and grant permission within 
the given ns only. 

We have run into some issues at the ns admin level. It appears that a ns admin 
can NOT grant to a grop unless it also has global admin privilege. But once it 
has global admin privilege it can grant in any NS not just the one where it has 
admin privileges. 

Based on the HBase documentation at 
http://hbase.apache.org/book.html#appendix_acl_matrix 

Table 13. ACL Matrix 
Interface       Operation       Permissions 
AccessController grant(global level) global(A) 
grant(namespace level) global(A)|NS(A) 

grant at a namespace level should be possible for someone with global A OR (|) 
NS A permission. 
As you will see in our test it does not work if NS A permission is granted but 
global A permission is not. 

Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1. 

hbase(main):011:0> scan 'hbase:acl' 
ROW COLUMN+CELL 
@finance column=l:sh82993, timestamp=1444405519510, value=RWXCA 
@gcbcppdn column=l:hdfs, timestamp=1446141119602, value=RWCXA 
@hbase column=l:hdfs, timestamp=1446141485136, value=RWCAX 
@ns1 column=l:@hbaseappltest_ns1admin, timestamp=1446676679787, value=XCA 

However: 
Here you can see that a user who is member of the group hbaseappltest_ns1admin 
can not grant a WRX privilege to a group as it is missing global A privilege. 

$hbase shell 
15/11/13 10:02:23 INFO Configuration.deprecation: hadoop.native.lib is 
deprecated. Instead, use io.native.lib.available 
HBase Shell; enter 'help<RETURN>' for list of supported commands. 
Type "exit<RETURN>" to leave the HBase Shell 
Version 1.0.0-cdh5.4.7, rUnknown, Thu Sep 17 02:25:03 PDT 2015 

hbase(main):001:0> whoami 
[email protected] (auth:KERBEROS) 
groups: hbaseappltest_ns1admin 

hbase(main):002:0> grant '@hbaseappltest_ns1funct' ,'RWX','@ns1' 

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
permissions for user 'ns1admin' (global, action=ADMIN) 

The way I read the documentation a NS admin should be able to grant as it has 
ns level A privilege not only object level permission.

CDH is a version 5.4.7 and Hbase is version 1.0. 

Regards, 
Steven



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to