[
https://issues.apache.org/jira/browse/HBASE-22581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16863769#comment-16863769
]
István Tóth commented on HBASE-22581:
-------------------------------------
The acl table looks okay:
{code:java}
hbase(main):001:0> scan 'hbase:acl'
ROW COLUMN+CELL
hbase:acl column=l:regularUser1, timestamp=1560496307045, value=C
nunuke column=l:regularUser1, timestamp=1560496417455, value=RWXCA
nunuke column=l:regularUser2, timestamp=1560496419170, value=RX
2 row(s)
{code}
but revoke still fails.
So the problem in general seems to be that table level ADMIN permission does
not actually grant revoke rights on the table.
> user with "CREATE" permission can grant, but not revoke permissions on
> created table
> ------------------------------------------------------------------------------------
>
> Key: HBASE-22581
> URL: https://issues.apache.org/jira/browse/HBASE-22581
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 2.1.1, 2.1.5, 2.1.6
> Reporter: István Tóth
> Priority: Major
>
> A user that only has global or namespace "CREATE" permission can grant
> permissions to another user on its created table, but cannot revoke them.
> This bug exists on branch-2.1, from 2.1.1
> 2.0, 2.1.0, master, and branch-2.2 are not effected.
> The bug can be triggered via hbase shell:
> {code:java}
> #Start hbase shell as superuse
> #export HADOOP_USER_NAME=hbase
> hbase shell
> grant 'regularUser1', 'C'
> exit
> #Run hbase shell as regularUser1
> #grant, then revoke 'RX' permission to regularUser2
> #export HADOOP_USER_NAME=regularUser1
> hbase shell
> create 'nunuke','nunuke'
> grant 'regularUser2', 'RX', 'nunuke'
> #This will fail on 2.1.1+
> revoke 'regularUser2', 'nunuke'
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
