[
https://issues.apache.org/jira/browse/HBASE-14809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15005199#comment-15005199
]
Ashish Singhi commented on HBASE-14809:
---------------------------------------
1. Can we add the test in {{TestNamespaceCommands}} as we already have some
grant and revoke operation test their on namespace and will be able to assert
on global admin also.
2. Also suggest to verify for users denied to perform this action.
> Namespace permission granted to group
> --------------------------------------
>
> Key: HBASE-14809
> URL: https://issues.apache.org/jira/browse/HBASE-14809
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.2
> Reporter: Steven Hancz
> Attachments: 14809-v1.txt, 14809-v2.txt
>
>
> Hi,
> We are looking to roll out HBase and are in the process to design the
> security model.
> We are looking to implement global DBAs and Namespace specific
> administrators.
> So for example the global dba would create a namespace and grant a user/group
> admin privileges within that ns.
> So that a given ns admin can in turn create objects and grant permission
> within the given ns only.
> We have run into some issues at the ns admin level. It appears that a ns
> admin can NOT grant to a grop unless it also has global admin privilege. But
> once it has global admin privilege it can grant in any NS not just the one
> where it has admin privileges.
> Based on the HBase documentation at
> http://hbase.apache.org/book.html#appendix_acl_matrix
> Table 13. ACL Matrix
> Interface Operation Permissions
> AccessController grant(global level) global(A)
> grant(namespace level) global(A)|NS(A)
> grant at a namespace level should be possible for someone with global A OR
> (|) NS A permission.
> As you will see in our test it does not work if NS A permission is granted
> but global A permission is not.
> Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1.
> hbase(main):011:0> scan 'hbase:acl'
> ROW COLUMN+CELL
> @ns1 column=l:@hbaseappltest_ns1admin, timestamp=1446676679787, value=XCA
> However:
> Here you can see that a user who is member of the group
> hbaseappltest_ns1admin can not grant a WRX privilege to a group as it is
> missing global A privilege.
> $hbase shell
> 15/11/13 10:02:23 INFO Configuration.deprecation: hadoop.native.lib is
> deprecated. Instead, use io.native.lib.available
> HBase Shell; enter 'help<RETURN>' for list of supported commands.
> Type "exit<RETURN>" to leave the HBase Shell
> Version 1.0.0-cdh5.4.7, rUnknown, Thu Sep 17 02:25:03 PDT 2015
> hbase(main):001:0> whoami
> [email protected] (auth:KERBEROS)
> groups: hbaseappltest_ns1admin
> hbase(main):002:0> grant '@hbaseappltest_ns1funct' ,'RWX','@ns1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions for user 'ns1admin' (global, action=ADMIN)
> The way I read the documentation a NS admin should be able to grant as it has
> ns level A privilege not only object level permission.
> CDH is a version 5.4.7 and Hbase is version 1.0.
> Regards,
> Steven
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
