[
https://issues.apache.org/jira/browse/HBASE-14818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
li xiang updated HBASE-14818:
-----------------------------
Description:
The user_permission command does not list namespace permissions:
For example: if I create a new namespace or use an existing namespace and grant
a user privileges to that namespace, the command user_permission does not list
it. The permission is visible in the acl table.
Example:
hbase(main):005:0> create_namespace 'ns3'
0 row(s) in 0.1640 seconds
hbase(main):007:0> grant 'test_user','RWXAC','@ns3'
0 row(s) in 0.5680 seconds
hbase(main):008:0> user_permission '.*'
User Namespace,Table,Family,Qualifier:Permission
sh82993 finance,finance:emp,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]
@hbaseglobaldba hbase,hbase:acl,,: [Permission:
actions=EXEC,CREATE,ADMIN]
@hbaseglobaloper hbase,hbase:acl,,: [Permission:
actions=EXEC,ADMIN]
hdfs hbase,hbase:acl,,: [Permission:
actions=READ,WRITE,CREATE,ADMIN,EXEC]
sh82993 ns1,ns1:tbl1,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]
ns1admin ns1,ns1:tbl2,,: [Permission:
actions=EXEC,CREATE,ADMIN]
@hbaseappltest_ns1funct ns1,ns1:tbl2,,: [Permission:
actions=READ,WRITE,EXEC]
ns1funct ns1,ns1:tbl2,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]
hbase ns2,ns2:tbl1,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]
9 row(s) in 1.8090 seconds
As you can see user test_user does not appear in the output, but on can see the
permission in the ACL table.
hbase(main):001:0> scan 'hbase:acl'
ROW COLUMN+CELL
@finance column=l:sh82993, timestamp=1444405519510,
value=RWXCA
@gcbcppdn column=l:hdfs, timestamp=1446141119602,
value=RWCXA
@hbase column=l:hdfs, timestamp=1446141485136,
value=RWCAX
@ns1 column=l:@hbaseappltest_ns1admin,
timestamp=1447437007467, value=RWXCA
@ns1 column=l:@hbaseappltest_ns1funct,
timestamp=1447427366835, value=RWX
@ns2 column=l:@hbaseappltest_ns2admin,
timestamp=1446674470456, value=XCA
@ns2 column=l:test_user, timestamp=1447692840030,
value=RWAC
@ns3 column=l:test_user, timestamp=1447692860434,
value=RWXAC
finance:emp column=l:sh82993, timestamp=1444407723316,
value=RWXCA
hbase:acl column=l:@hbaseglobaldba,
timestamp=1446590375370, value=XCA
hbase:acl column=l:@hbaseglobaloper,
timestamp=1446590387965, value=XA
hbase:acl column=l:hdfs, timestamp=1446141737213,
value=RWCAX
ns1:tbl1 column=l:sh82993, timestamp=1446674153058,
value=RWXCA
ns1:tbl2 column=l:@hbaseappltest_ns1funct,
timestamp=1447183824580, value=RWX
ns1:tbl2 column=l:ns1admin, timestamp=1447183766370,
value=XCA
ns1:tbl2 column=l:ns1funct, timestamp=1447184077545,
value=RWXCA
ns2:tbl1 column=l:hbase, timestamp=1447182228314,
value=RWXCA
11 row(s) in 0.4990 seconds
It would be nice to be able to see namespace permissions via the
user_permission '.*' command as scanning the acl table is not the recommended
way to view object permissions. Especially if one is looking to access base via
a shell and collect ACL information.
Steven
was:
The user_permission command does not list namespace permissions:
For example: if I create a new namespace or use an existing namespace and grant
a user privileges to that namespace the command user_permission does not list
the. The permission is visible in the acl table.
Example:
hbase(main):005:0> create_namespace 'ns3'
0 row(s) in 0.1640 seconds
hbase(main):007:0> grant 'test_user','RWXAC','@ns3'
0 row(s) in 0.5680 seconds
hbase(main):008:0> user_permission '.*'
User Namespace,Table,Family,Qualifier:Permission
sh82993 finance,finance:emp,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]
@hbaseglobaldba hbase,hbase:acl,,: [Permission:
actions=EXEC,CREATE,ADMIN]
@hbaseglobaloper hbase,hbase:acl,,: [Permission:
actions=EXEC,ADMIN]
hdfs hbase,hbase:acl,,: [Permission:
actions=READ,WRITE,CREATE,ADMIN,EXEC]
sh82993 ns1,ns1:tbl1,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]
ns1admin ns1,ns1:tbl2,,: [Permission:
actions=EXEC,CREATE,ADMIN]
@hbaseappltest_ns1funct ns1,ns1:tbl2,,: [Permission:
actions=READ,WRITE,EXEC]
ns1funct ns1,ns1:tbl2,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]
hbase ns2,ns2:tbl1,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]
9 row(s) in 1.8090 seconds
As you can see user test_user does not appear in the output, but on can see the
permission in the ACL table.
hbase(main):001:0> scan 'hbase:acl'
ROW COLUMN+CELL
@finance column=l:sh82993, timestamp=1444405519510,
value=RWXCA
@gcbcppdn column=l:hdfs, timestamp=1446141119602,
value=RWCXA
@hbase column=l:hdfs, timestamp=1446141485136,
value=RWCAX
@ns1 column=l:@hbaseappltest_ns1admin,
timestamp=1447437007467, value=RWXCA
@ns1 column=l:@hbaseappltest_ns1funct,
timestamp=1447427366835, value=RWX
@ns2 column=l:@hbaseappltest_ns2admin,
timestamp=1446674470456, value=XCA
@ns2 column=l:test_user, timestamp=1447692840030,
value=RWAC
@ns3 column=l:test_user, timestamp=1447692860434,
value=RWXAC
finance:emp column=l:sh82993, timestamp=1444407723316,
value=RWXCA
hbase:acl column=l:@hbaseglobaldba,
timestamp=1446590375370, value=XCA
hbase:acl column=l:@hbaseglobaloper,
timestamp=1446590387965, value=XA
hbase:acl column=l:hdfs, timestamp=1446141737213,
value=RWCAX
ns1:tbl1 column=l:sh82993, timestamp=1446674153058,
value=RWXCA
ns1:tbl2 column=l:@hbaseappltest_ns1funct,
timestamp=1447183824580, value=RWX
ns1:tbl2 column=l:ns1admin, timestamp=1447183766370,
value=XCA
ns1:tbl2 column=l:ns1funct, timestamp=1447184077545,
value=RWXCA
ns2:tbl1 column=l:hbase, timestamp=1447182228314,
value=RWXCA
11 row(s) in 0.4990 seconds
It would be nice to be able to see namespace permissions via the
user_permission '.*' command as scanning the acl table is not the recommended
way to view object permissions. Especially if one is looking to access base via
a shell and collect ACL information.
Steven
> user_permission does not list namespace permissions
> ---------------------------------------------------
>
> Key: HBASE-14818
> URL: https://issues.apache.org/jira/browse/HBASE-14818
> Project: HBase
> Issue Type: Bug
> Components: hbase
> Affects Versions: 1.0.2
> Reporter: Steven Hancz
> Assignee: li xiang
> Priority: Minor
>
> The user_permission command does not list namespace permissions:
> For example: if I create a new namespace or use an existing namespace and
> grant a user privileges to that namespace, the command user_permission does
> not list it. The permission is visible in the acl table.
> Example:
> hbase(main):005:0> create_namespace 'ns3'
> 0 row(s) in 0.1640 seconds
> hbase(main):007:0> grant 'test_user','RWXAC','@ns3'
> 0 row(s) in 0.5680 seconds
> hbase(main):008:0> user_permission '.*'
> User
> Namespace,Table,Family,Qualifier:Permission
>
> sh82993 finance,finance:emp,,: [Permission:
> actions=READ,WRITE,EXEC,CREATE,ADMIN]
> @hbaseglobaldba hbase,hbase:acl,,: [Permission:
> actions=EXEC,CREATE,ADMIN]
> @hbaseglobaloper hbase,hbase:acl,,: [Permission:
> actions=EXEC,ADMIN]
> hdfs hbase,hbase:acl,,: [Permission:
> actions=READ,WRITE,CREATE,ADMIN,EXEC]
> sh82993 ns1,ns1:tbl1,,: [Permission:
> actions=READ,WRITE,EXEC,CREATE,ADMIN]
> ns1admin ns1,ns1:tbl2,,: [Permission:
> actions=EXEC,CREATE,ADMIN]
> @hbaseappltest_ns1funct ns1,ns1:tbl2,,: [Permission:
> actions=READ,WRITE,EXEC]
> ns1funct ns1,ns1:tbl2,,: [Permission:
> actions=READ,WRITE,EXEC,CREATE,ADMIN]
> hbase ns2,ns2:tbl1,,: [Permission:
> actions=READ,WRITE,EXEC,CREATE,ADMIN]
> 9 row(s) in 1.8090 seconds
> As you can see user test_user does not appear in the output, but on can see
> the permission in the ACL table.
> hbase(main):001:0> scan 'hbase:acl'
> ROW COLUMN+CELL
>
> @finance column=l:sh82993, timestamp=1444405519510,
> value=RWXCA
> @gcbcppdn column=l:hdfs, timestamp=1446141119602,
> value=RWCXA
> @hbase column=l:hdfs, timestamp=1446141485136,
> value=RWCAX
> @ns1 column=l:@hbaseappltest_ns1admin,
> timestamp=1447437007467, value=RWXCA
> @ns1 column=l:@hbaseappltest_ns1funct,
> timestamp=1447427366835, value=RWX
> @ns2 column=l:@hbaseappltest_ns2admin,
> timestamp=1446674470456, value=XCA
> @ns2 column=l:test_user,
> timestamp=1447692840030, value=RWAC
>
> @ns3 column=l:test_user,
> timestamp=1447692860434, value=RWXAC
>
> finance:emp column=l:sh82993, timestamp=1444407723316,
> value=RWXCA
> hbase:acl column=l:@hbaseglobaldba,
> timestamp=1446590375370, value=XCA
> hbase:acl column=l:@hbaseglobaloper,
> timestamp=1446590387965, value=XA
> hbase:acl column=l:hdfs, timestamp=1446141737213,
> value=RWCAX
> ns1:tbl1 column=l:sh82993, timestamp=1446674153058,
> value=RWXCA
> ns1:tbl2 column=l:@hbaseappltest_ns1funct,
> timestamp=1447183824580, value=RWX
> ns1:tbl2 column=l:ns1admin,
> timestamp=1447183766370, value=XCA
>
> ns1:tbl2 column=l:ns1funct,
> timestamp=1447184077545, value=RWXCA
>
> ns2:tbl1 column=l:hbase, timestamp=1447182228314,
> value=RWXCA
> 11 row(s) in 0.4990 seconds
> It would be nice to be able to see namespace permissions via the
> user_permission '.*' command as scanning the acl table is not the recommended
> way to view object permissions. Especially if one is looking to access base
> via a shell and collect ACL information.
> Steven
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
