[
https://issues.apache.org/jira/browse/HBASE-6188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13292420#comment-13292420
]
Laxman commented on HBASE-6188:
-------------------------------
I agree with you Andy. But if we keep DisableTable/EnableTable permission with
ADMIN alone, to delete/modify a table a user should have both ADMIN and CREATE
permissions. ADMIN access to disable a table and CREATE access to delete/modify
the table. Or user with CREATE only access has to request the ADMIN user to
disable/enable the table before/after DDL.
So, I feel its better to keep DDL permissions with CREATE alone and clean
separation between CREATE and ADMIN.
*Current implementation*
CREATE - CreateTable
OWNER+CREATE *or* ADMIN - AddColumn, DeleteColumn, DeleteTable, ModifyColumn,
ModifyTable, DisableTable, EnableTable
*Proposed implementation*
CREATE - CreateTable, AddColumn, DeleteColumn, DeleteTable, ModifyColumn,
ModifyTable, DisableTable, EnableTable
> Remove the concept of table owner
> ---------------------------------
>
> Key: HBASE-6188
> URL: https://issues.apache.org/jira/browse/HBASE-6188
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Andrew Purtell
> Assignee: Laxman
> Labels: security
>
> The table owner concept was a design simplification in the initial drop.
> First, the design changes under review means only a user with GLOBAL CREATE
> permission can create a table, which will probably be an administrator.
> Then, granting implicit permissions may lead to oversights and it adds
> unnecessary conditionals to our code. So instead the administrator with
> GLOBAL CREATE permission should make the appropriate grants at table create
> time.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
