[
https://issues.apache.org/jira/browse/HBASE-6096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286445#comment-13286445
]
Laxman commented on HBASE-6096:
-------------------------------
{quote}Matteo:
2) if you grant for 'A' you don't get RWC
so admin are not able to read but are able to perform actions
(create/delete/modify) on all tables{quote}
{quote}Andrew:
IMO, it's preferable to conceptualize ADMIN permission as only an extra bit
that allows you to interact with the Master on table management concerns.{quote}
@Matteo & Andy, thank you for your explanation.
Yes, I couldn't agree to the point "ADMIN can't READ/WRITE".
Say, GLOBAL/TABLE ADMIN should NOT be able to READ/WRITE from/to a table. But,
they should be able to do ADMIN operations (including grant, revoke, etc.) on
the table. Then, ADMIN can grant themselves any permission(CRW).
*It's an unwanted backdoor (may be a vulnerability). No?*
IMO, its no use in restricting ADMIN from READ/WRITE.
> AccessController v2
> -------------------
>
> Key: HBASE-6096
> URL: https://issues.apache.org/jira/browse/HBASE-6096
> Project: HBase
> Issue Type: Umbrella
> Components: security
> Affects Versions: 0.96.0, 0.94.1
> Reporter: Andrew Purtell
>
> Umbrella issue for iteration on the initial AccessController drop.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
