Thomas D'Silva commented on PHOENIX-4529:

Users/teams can create their own tables. A user has to have the create 
permission on the namespace for which they are trying to create the table and 
read and execute permission on the SYSTEM namespace. There is an open JIRA 
PHOENIX-4430 to prevent a user from reading the metadata of a schema on which 
he/she doesn't have access. A user does not need to have write access on the 
SYSTEM table to create a table. 

> Users should only require RX access to SYSTEM.SEQUENCE table
> ------------------------------------------------------------
>                 Key: PHOENIX-4529
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4529
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Karan Mehta
>            Priority: Major
> Currently, users don't need to have Write access to {{SYSTEM.CATALOG}} and 
> other tables, since the code is run on the server side as login user. However 
> for {{SYSTEM.SEQUENCE}}, write permission is still needed. This is a 
> potential security concern, since it allows anyone to modify the sequences 
> created by others. This JIRA is to discuss how we can improve the security of 
> this table. 
> Potential options include
> 1. Usage of HBase Cell Level Permissions (works only with HFile version 3 and 
> above)
> 2. AccessControl at Phoenix Layer by addition of user column in the 
> {{SYSTEM.SEQUENCE}} table and use it for access control (Can be error-prone 
> for complex scenarios like sequence sharing)
> Please advice.
> [~tdsilva] [~jamestaylor] [~apurtell] [~an...@apache.org] [~elserj]

This message was sent by Atlassian JIRA

Reply via email to