[ https://issues.apache.org/jira/browse/HBASE-5352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398215#comment-13398215 ]
Laxman commented on HBASE-5352: ------------------------------- One observation related to operation vs ACL in our [Ram & Laxman] discussion today. HBASE-6252 : TABLE ADMIN should be allowed to do assign, unassign & move as these are table level operations. Any other opinion? > ACL improvements > ---------------- > > Key: HBASE-5352 > URL: https://issues.apache.org/jira/browse/HBASE-5352 > Project: HBase > Issue Type: Improvement > Components: security > Affects Versions: 0.92.1, 0.94.0 > Reporter: Enis Soztutar > Assignee: Enis Soztutar > > In this issue I would like to open discussion for a few minor ACL related > improvements. The proposed changes are as follows: > 1. Introduce something like > AccessControllerProtocol.checkPermissions(Permission[] permissions) API, so > that clients can check access rights before carrying out the operations. We > need this kind of operation for HCATALOG-245, which introduces authorization > providers for hbase over hcat. We cannot use getUserPermissions() since it > requires ADMIN permissions on the global/table level. > 2. getUserPermissions(tableName)/grant/revoke and drop/modify table > operations should not check for global CREATE/ADMIN rights, but table > CREATE/ADMIN rights. The reasoning is that if a user is able to admin or read > from a table, she should be able to read the table's permissions. We can > choose whether we want only READ or ADMIN permissions for > getUserPermission(). Since we check for global permissions first for table > permissions, configuring table access using global permissions will continue > to work. > 3. Grant/Revoke global permissions - HBASE-5342 (included for completeness) > From all 3, we may want to backport the first one to 0.92 since without it, > Hive/Hcatalog cannot use Hbase's authorization mechanism effectively. > I will create subissues and convert HBASE-5342 to a subtask when we get some > feedback, and opinions for going further. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira