[
https://issues.apache.org/jira/browse/HBASE-24744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17160602#comment-17160602
]
Toshihiro Suzuki edited comment on HBASE-24744 at 7/19/20, 8:29 AM:
--------------------------------------------------------------------
As [~wchevreuil] mentioned, functionally speaking, this wouldn't be a problem.
However as we give super user a special treatment, I don't think we need to add
super user to the acl table.
It looks like *enable_table_replication* command involves modifyTable
internally and *AccessController* adds a user permission after modifyTable:
https://github.com/apache/hbase/blob/9b02a26a1d3e64fa6df5d89fe5d90f2cd33ca195/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L919
I think we can skip this if the user is super user. Making a PR for this.
Also, I think we can skip it for createTable, as well:
https://github.com/apache/hbase/blob/9b02a26a1d3e64fa6df5d89fe5d90f2cd33ca195/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L820-L821
was (Author: brfrn169):
As [~wchevreuil] mentioned, functionally speaking, this wouldn't be a problem.
However as we give super user a special treatment, I don't think we need to add
super user to the acl table.
It looks like *enable_table_replication* command involves modifyTable
internally and *AccessController* adds a user permission after modifyTable:
https://github.com/apache/hbase/blob/9b02a26a1d3e64fa6df5d89fe5d90f2cd33ca195/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L919
I think we can skip this if the user is super user. Making a RP for this.
Also, I think we can skip it for createTable, as well:
https://github.com/apache/hbase/blob/9b02a26a1d3e64fa6df5d89fe5d90f2cd33ca195/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L820-L821
> enable_table_replication command granting permissions on table automatically
> for the user
> -----------------------------------------------------------------------------------------
>
> Key: HBASE-24744
> URL: https://issues.apache.org/jira/browse/HBASE-24744
> Project: HBase
> Issue Type: Bug
> Components: acl, security
> Affects Versions: 2.1.0
> Reporter: Dhanalakshmi Periyalwar
> Assignee: Toshihiro Suzuki
> Priority: Minor
>
> While enabling the table replication for the user table as an hbase user
> using the "enable_table_replication" command, permission has been granted
> automatically for the hbase user and getting listed in hbase:acl. The same
> behaviour is applicable to other users too.
> Issue Replication Steps:
> ========================
> hbase(main):001:0> whoami
> dhana (auth:SIMPLE)
> groups: dhana
> Took 0.0214 seconds
>
> hbase(main):002:0> list
> TABLE
>
> 0 row(s)
> Took 0.4268 seconds
>
> => []
> hbase(main):003:0> create 'mytab','f1'
> Created table mytab
> Took 0.7834 seconds
>
> => Hbase::Table - mytab
> hbase(main):004:0> describe 'mytab'
> Table mytab is ENABLED
>
> mytab
>
> COLUMN FAMILIES DESCRIPTION
>
> \{NAME => 'f1', VERSIONS => '1', EVICT_BLOCKS_ON_CLOSE => 'false',
> NEW_VERSION_BEHAVIOR => 'false', KE
> EP_DELETED_CELLS => 'FALSE', CACHE_DATA_ON_WRITE => 'false',
> DATA_BLOCK_ENCODING => 'NONE', TTL => 'F
> OREVER', MIN_VERSIONS => '0', REPLICATION_SCOPE => '0', BLOOMFILTER => 'ROW',
> CACHE_INDEX_ON_WRITE =>
> 'false', IN_MEMORY => 'false', CACHE_BLOOMS_ON_WRITE => 'false',
> PREFETCH_BLOCKS_ON_OPEN => 'false',
> COMPRESSION => 'NONE', BLOCKCACHE => 'true', BLOCKSIZE => '65536'}
>
> 1 row(s)
> Took 0.1319 seconds
>
> hbase(main):005:0> scan 'hbase:acl'
> ROW COLUMN+CELL
>
> hbase:acl column=l:dhana, timestamp=1593669605273,
> value=RWXCA
> mytab column=l:dhana, timestamp=1593673200269,
> value=RWXCA
> 2 row(s)
> Took 0.0969 seconds
>
> hbase(main):006:0> exit
> hbase(main):001:0> whoami
> hbase (auth:SIMPLE)
> groups: hbase
> Took 0.0271 seconds
>
>
> hbase(main):002:0> scan 'hbase:acl'
> ROW COLUMN+CELL
>
> hbase:acl column=l:dhana, timestamp=1593669605273,
> value=RWXCA
> mytab column=l:dhana, timestamp=1593673200269,
> value=RWXCA
> 2 row(s)
> Took 0.5223 seconds
>
> hbase(main):003:0> enable_table_replication 'mytab'
> The replication of table 'mytab' successfully enabled
> Took 16.0711 seconds
>
> hbase(main):004:0> scan 'hbase:acl'
> ROW COLUMN+CELL
>
> hbase:acl column=l:dhana, timestamp=1593669605273,
> value=RWXCA
> mytab column=l:dhana, timestamp=1593673200269,
> value=RWXCA
> mytab column=l:hbase, timestamp=1593673390976,
> value=RWXCA <========
> 2 row(s)
> Took 0.0089 seconds
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
