[
https://issues.apache.org/jira/browse/HBASE-6096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13285554#comment-13285554
]
Matteo Bertozzi commented on HBASE-6096:
----------------------------------------
@Laxman if you look at TableAuthManager there're two SkipList USER_CACHE and
TABLE_USER_CACHE
USER_CACHE contains the global rights, TABLE_USER_CACHE contains the table one.
hbase.superuser is read at startup TableAuthManager.initGlobal() and fills the
USER_CACHE with specified users with RWCA rights (so is not just ADMIN is RWCA)
All CA operation are checked against global rights (USER_CACHE)
so specifying CA in table rights has no effect.
grant 'user', 'RWCA' -> fill USER_CACHE global rights
grant 'user', 'RW', 'table' -> FILL TABLE_USER_CACHE
this means if you're "global granted" (CREATE/ADMIN) you can add/modify/remove
tables with the restriction that, if you've CREATE you can just modify/delete
your own table while ADMIN you can modify/delete all the available tables.
if you're table granted you can do just read/write depends on what is your
permission, but you don't have the ability to create/modify/delete even if
you've CA (CA are not checked against TABLE_USER_CACHE just USER_CACHE)
for checkAndPut()/checkAndDelete() there's a jira open HBASE-6062 and yes it
needs to check both Read and Write.
> AccessController v2
> -------------------
>
> Key: HBASE-6096
> URL: https://issues.apache.org/jira/browse/HBASE-6096
> Project: HBase
> Issue Type: Umbrella
> Components: security
> Affects Versions: 0.96.0, 0.94.1
> Reporter: Andrew Purtell
>
> Umbrella issue for iteration on the initial AccessController drop.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
