[jira] [Commented] (HBASE-6188) Remove the concept of table owner

Mon, 11 Jun 2012 11:18:47 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-6188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13292939#comment-13292939
 ] 

Laxman commented on HBASE-6188:
-------------------------------











Thanks Ram for pitching in.

Andy, we definitely agree to your point. Just reiterating my previous comments.

{quote}
I agree with you Andy. But if we keep DisableTable/EnableTable permission with 
ADMIN alone, to delete/modify a table a user should have both ADMIN and CREATE 
permissions. ADMIN access to disable a table and CREATE access to delete/modify 
the table. Or user with CREATE only access has to request the ADMIN user to 
disable/enable the table before/after DDL.
{quote}

So, to delete a table requires two different users or one user with both 
permissions. This is my only concern.

Thanks for clarification. Please provide your opinion of this.

CREATE -(DDL) CreateTable, AddColumn, DeleteColumn, DeleteTable, ModifyColumn, 
ModifyTable
ADMIN - DisableTable, EnableTable

bq. it is a large subset of ADMIN permission.

Please note that above are two disjoint sets. That means, DDL operations can't 
be done by ADMIN. Hope that should make them clean. 
                
> Remove the concept of table owner
> ---------------------------------
>
>                 Key: HBASE-6188
>                 URL: https://issues.apache.org/jira/browse/HBASE-6188
>             Project: HBase
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Andrew Purtell
>            Assignee: Laxman
>              Labels: security
>
> The table owner concept was a design simplification in the initial drop.
> First, the design changes under review means only a user with GLOBAL CREATE 
> permission can create a table, which will probably be an administrator.
> Then, granting implicit permissions may lead to oversights and it adds 
> unnecessary conditionals to our code. So instead the administrator with 
> GLOBAL CREATE permission should make the appropriate grants at table create 
> time.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to