[jira] [Commented] (HBASE-5352) ACL improvements

Mon, 11 Jun 2012 11:48:45 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-5352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13292972#comment-13292972
 ] 

Laxman commented on HBASE-5352:
-------------------------------

Request for review for subtask: HBASE-6092
                
> ACL improvements
> ----------------
>
>                 Key: HBASE-5352
>                 URL: https://issues.apache.org/jira/browse/HBASE-5352
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.92.1, 0.94.0
>            Reporter: Enis Soztutar
>            Assignee: Enis Soztutar
>
> In this issue I would like to open discussion for a few minor ACL related 
> improvements. The proposed changes are as follows: 
> 1. Introduce something like 
> AccessControllerProtocol.checkPermissions(Permission[] permissions) API, so 
> that clients can check access rights before carrying out the operations. We 
> need this kind of operation for HCATALOG-245, which introduces authorization 
> providers for hbase over hcat. We cannot use getUserPermissions() since it 
> requires ADMIN permissions on the global/table level.
> 2. getUserPermissions(tableName)/grant/revoke and drop/modify table 
> operations should not check for global CREATE/ADMIN rights, but table 
> CREATE/ADMIN rights. The reasoning is that if a user is able to admin or read 
> from a table, she should be able to read the table's permissions. We can 
> choose whether we want only READ or ADMIN permissions for 
> getUserPermission(). Since we check for global permissions first for table 
> permissions, configuring table access using global permissions will continue 
> to work.  
> 3. Grant/Revoke global permissions - HBASE-5342 (included for completeness)
> From all 3, we may want to backport the first one to 0.92 since without it, 
> Hive/Hcatalog cannot use Hbase's authorization mechanism effectively. 
> I will create subissues and convert HBASE-5342 to a subtask when we get some 
> feedback, and opinions for going further. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to