Re: [PR] Allow only root user to read fate and scanref tables by default [accumulo]

via GitHub Tue, 10 Mar 2026 08:07:58 -0700


dlmarion commented on code in PR #6203:
URL: https://github.com/apache/accumulo/pull/6203#discussion_r2912447246



##########
server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java:
##########
@@ -355,11 +355,18 @@ private boolean _hasTablePermission(String user, TableId 
table, TablePermission
       boolean useCached) throws ThriftSecurityException {
     targetUserExists(user);
 
+    // Allow all users to read root and metadata tables
     if ((table.equals(SystemTables.METADATA.tableId()) || 
table.equals(SystemTables.ROOT.tableId()))
         && permission.equals(TablePermission.READ)) {
       return true;
     }
 
+    // Allow root user to scan all system tables
+    if (user.equals(getRootUsername()) && SystemTables.containsTableId(table)

Review Comment:
   Removing this and the code to give all users read permission in the Accumulo 
namespace causes the new code in the IT (below) to fail. Is this what you 
expected?
   
   ```
         verifyHasOnlyTheseTablePermissions(c, c.whoami(), 
SystemTables.FATE.tableName(),
             TablePermission.READ);
         verifyHasOnlyTheseTablePermissions(c, c.whoami(), 
SystemTables.SCAN_REF.tableName(),
             TablePermission.READ);
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Allow only root user to read fate and scanref tables by default [accumulo]

Reply via email to