[ https://issues.apache.org/jira/browse/HBASE-6188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13292420#comment-13292420 ]
Laxman commented on HBASE-6188: ------------------------------- I agree with you Andy. But if we keep DisableTable/EnableTable permission with ADMIN alone, to delete/modify a table a user should have both ADMIN and CREATE permissions. ADMIN access to disable a table and CREATE access to delete/modify the table. Or user with CREATE only access has to request the ADMIN user to disable/enable the table before/after DDL. So, I feel its better to keep DDL permissions with CREATE alone and clean separation between CREATE and ADMIN. *Current implementation* CREATE - CreateTable OWNER+CREATE *or* ADMIN - AddColumn, DeleteColumn, DeleteTable, ModifyColumn, ModifyTable, DisableTable, EnableTable *Proposed implementation* CREATE - CreateTable, AddColumn, DeleteColumn, DeleteTable, ModifyColumn, ModifyTable, DisableTable, EnableTable > Remove the concept of table owner > --------------------------------- > > Key: HBASE-6188 > URL: https://issues.apache.org/jira/browse/HBASE-6188 > Project: HBase > Issue Type: Sub-task > Components: security > Reporter: Andrew Purtell > Assignee: Laxman > Labels: security > > The table owner concept was a design simplification in the initial drop. > First, the design changes under review means only a user with GLOBAL CREATE > permission can create a table, which will probably be an administrator. > Then, granting implicit permissions may lead to oversights and it adds > unnecessary conditionals to our code. So instead the administrator with > GLOBAL CREATE permission should make the appropriate grants at table create > time. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira