mathias kluba commented on PHOENIX-4529:

It seems that several issues are related, as PHOENIX-4431

In my company, we are managing permissionsĀ per namespaces: grant read/write 
access to a team to a specific namespace. But since the SYSTEM tables are in 
the SYSTEM namespace, shared by everyone, it's impossible to let people create 
their own tables.

Do you thing that's possible to change the SYSTEM namespace ? As of today, it's 
a final static in QueryConstants, if I can change it using a JDBC property, I 
canĀ have SYSTEM tables for each team and manage permission accordingly.

Do I have to create a new ticket for that ?

> Users should only require RX access to SYSTEM.SEQUENCE table
> ------------------------------------------------------------
>                 Key: PHOENIX-4529
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4529
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Karan Mehta
>            Assignee: Thomas D'Silva
>            Priority: Major
> Currently, users don't need to have Write access to {{SYSTEM.CATALOG}} and 
> other tables, since the code is run on the server side as login user. However 
> for {{SYSTEM.SEQUENCE}}, write permission is still needed. This is a 
> potential security concern, since it allows anyone to modify the sequences 
> created by others. This JIRA is to discuss how we can improve the security of 
> this table. 
> Potential options include
> 1. Usage of HBase Cell Level Permissions (works only with HFile version 3 and 
> above)
> 2. AccessControl at Phoenix Layer by addition of user column in the 
> {{SYSTEM.SEQUENCE}} table and use it for access control (Can be error-prone 
> for complex scenarios like sequence sharing)
> Please advice.
> [~tdsilva] [~jamestaylor] [~apurtell] [~an...@apache.org] [~elserj]

This message was sent by Atlassian JIRA

Reply via email to