[
https://issues.apache.org/jira/browse/HBASE-14809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ted Yu updated HBASE-14809:
---------------------------
Description:
Hi,
We are looking to roll out HBase and are in the process to design the security
model.
We are looking to implement global DBAs and Namespace specific administrators.
So for example the global dba would create a namespace and grant a user/group
admin privileges within that ns.
So that a given ns admin can in turn create objects and grant permission within
the given ns only.
We have run into some issues at the ns admin level. It appears that a ns admin
can NOT grant to a grop unless it also has global admin privilege. But once it
has global admin privilege it can grant in any NS not just the one where it has
admin privileges.
Based on the HBase documentation at
http://hbase.apache.org/book.html#appendix_acl_matrix
Table 13. ACL Matrix
Interface Operation Permissions
AccessController grant(global level) global(A)
grant(namespace level) global(A)|NS(A)
grant at a namespace level should be possible for someone with global A OR (|)
NS A permission.
As you will see in our test it does not work if NS A permission is granted but
global A permission is not.
Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1.
{code}
hbase(main):011:0> scan 'hbase:acl'
ROW COLUMN+CELL
@ns1 column=l:@hbaseappltest_ns1admin, timestamp=1446676679787, value=XCA
{code}
However:
Here you can see that a user who is member of the group hbaseappltest_ns1admin
can not grant a WRX privilege to a group as it is missing global A privilege.
{code}
$hbase shell
15/11/13 10:02:23 INFO Configuration.deprecation: hadoop.native.lib is
deprecated. Instead, use io.native.lib.available
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.0.0-cdh5.4.7, rUnknown, Thu Sep 17 02:25:03 PDT 2015
hbase(main):001:0> whoami
[email protected] (auth:KERBEROS)
groups: hbaseappltest_ns1admin
hbase(main):002:0> grant '@hbaseappltest_ns1funct' ,'RWX','@ns1'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'ns1admin' (global, action=ADMIN)
{code}
The way I read the documentation a NS admin should be able to grant as it has
ns level A privilege not only object level permission.
CDH is a version 5.4.7 and Hbase is version 1.0.
Regards,
Steven
was:
Hi,
We are looking to roll out HBase and are in the process to design the security
model.
We are looking to implement global DBAs and Namespace specific administrators.
So for example the global dba would create a namespace and grant a user/group
admin privileges within that ns.
So that a given ns admin can in turn create objects and grant permission within
the given ns only.
We have run into some issues at the ns admin level. It appears that a ns admin
can NOT grant to a grop unless it also has global admin privilege. But once it
has global admin privilege it can grant in any NS not just the one where it has
admin privileges.
Based on the HBase documentation at
http://hbase.apache.org/book.html#appendix_acl_matrix
Table 13. ACL Matrix
Interface Operation Permissions
AccessController grant(global level) global(A)
grant(namespace level) global(A)|NS(A)
grant at a namespace level should be possible for someone with global A OR (|)
NS A permission.
As you will see in our test it does not work if NS A permission is granted but
global A permission is not.
Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1.
hbase(main):011:0> scan 'hbase:acl'
ROW COLUMN+CELL
@ns1 column=l:@hbaseappltest_ns1admin, timestamp=1446676679787, value=XCA
However:
Here you can see that a user who is member of the group hbaseappltest_ns1admin
can not grant a WRX privilege to a group as it is missing global A privilege.
$hbase shell
15/11/13 10:02:23 INFO Configuration.deprecation: hadoop.native.lib is
deprecated. Instead, use io.native.lib.available
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.0.0-cdh5.4.7, rUnknown, Thu Sep 17 02:25:03 PDT 2015
hbase(main):001:0> whoami
[email protected] (auth:KERBEROS)
groups: hbaseappltest_ns1admin
hbase(main):002:0> grant '@hbaseappltest_ns1funct' ,'RWX','@ns1'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'ns1admin' (global, action=ADMIN)
The way I read the documentation a NS admin should be able to grant as it has
ns level A privilege not only object level permission.
CDH is a version 5.4.7 and Hbase is version 1.0.
Regards,
Steven
> Namespace permission granted to group
> --------------------------------------
>
> Key: HBASE-14809
> URL: https://issues.apache.org/jira/browse/HBASE-14809
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.2
> Reporter: Steven Hancz
> Assignee: Ted Yu
> Attachments: 14809-v1.txt, 14809-v2.txt, 14809-v3.txt
>
>
> Hi,
> We are looking to roll out HBase and are in the process to design the
> security model.
> We are looking to implement global DBAs and Namespace specific
> administrators.
> So for example the global dba would create a namespace and grant a user/group
> admin privileges within that ns.
> So that a given ns admin can in turn create objects and grant permission
> within the given ns only.
> We have run into some issues at the ns admin level. It appears that a ns
> admin can NOT grant to a grop unless it also has global admin privilege. But
> once it has global admin privilege it can grant in any NS not just the one
> where it has admin privileges.
> Based on the HBase documentation at
> http://hbase.apache.org/book.html#appendix_acl_matrix
> Table 13. ACL Matrix
> Interface Operation Permissions
> AccessController grant(global level) global(A)
> grant(namespace level) global(A)|NS(A)
> grant at a namespace level should be possible for someone with global A OR
> (|) NS A permission.
> As you will see in our test it does not work if NS A permission is granted
> but global A permission is not.
> Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1.
> {code}
> hbase(main):011:0> scan 'hbase:acl'
> ROW COLUMN+CELL
> @ns1 column=l:@hbaseappltest_ns1admin, timestamp=1446676679787, value=XCA
> {code}
> However:
> Here you can see that a user who is member of the group
> hbaseappltest_ns1admin can not grant a WRX privilege to a group as it is
> missing global A privilege.
> {code}
> $hbase shell
> 15/11/13 10:02:23 INFO Configuration.deprecation: hadoop.native.lib is
> deprecated. Instead, use io.native.lib.available
> HBase Shell; enter 'help<RETURN>' for list of supported commands.
> Type "exit<RETURN>" to leave the HBase Shell
> Version 1.0.0-cdh5.4.7, rUnknown, Thu Sep 17 02:25:03 PDT 2015
> hbase(main):001:0> whoami
> [email protected] (auth:KERBEROS)
> groups: hbaseappltest_ns1admin
> hbase(main):002:0> grant '@hbaseappltest_ns1funct' ,'RWX','@ns1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions for user 'ns1admin' (global, action=ADMIN)
> {code}
> The way I read the documentation a NS admin should be able to grant as it has
> ns level A privilege not only object level permission.
> CDH is a version 5.4.7 and Hbase is version 1.0.
> Regards,
> Steven
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
