[jira] [Commented] (HBASE-5352) ACL improvements

Wed, 20 Jun 2012 22:52:46 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-5352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13398215#comment-13398215
 ] 

Laxman commented on HBASE-5352:
-------------------------------

One observation related to operation vs ACL in our [Ram & Laxman] discussion 
today.

HBASE-6252 : TABLE ADMIN should be allowed to do assign, unassign & move as 
these are table level operations.

Any other opinion?

                
> ACL improvements
> ----------------
>
>                 Key: HBASE-5352
>                 URL: https://issues.apache.org/jira/browse/HBASE-5352
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.92.1, 0.94.0
>            Reporter: Enis Soztutar
>            Assignee: Enis Soztutar
>
> In this issue I would like to open discussion for a few minor ACL related 
> improvements. The proposed changes are as follows: 
> 1. Introduce something like 
> AccessControllerProtocol.checkPermissions(Permission[] permissions) API, so 
> that clients can check access rights before carrying out the operations. We 
> need this kind of operation for HCATALOG-245, which introduces authorization 
> providers for hbase over hcat. We cannot use getUserPermissions() since it 
> requires ADMIN permissions on the global/table level.
> 2. getUserPermissions(tableName)/grant/revoke and drop/modify table 
> operations should not check for global CREATE/ADMIN rights, but table 
> CREATE/ADMIN rights. The reasoning is that if a user is able to admin or read 
> from a table, she should be able to read the table's permissions. We can 
> choose whether we want only READ or ADMIN permissions for 
> getUserPermission(). Since we check for global permissions first for table 
> permissions, configuring table access using global permissions will continue 
> to work.  
> 3. Grant/Revoke global permissions - HBASE-5342 (included for completeness)
> From all 3, we may want to backport the first one to 0.92 since without it, 
> Hive/Hcatalog cannot use Hbase's authorization mechanism effectively. 
> I will create subissues and convert HBASE-5342 to a subtask when we get some 
> feedback, and opinions for going further. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to