[jira] [Commented] (HBASE-11043) Users with table's read/write permission can't get table's description
[
https://issues.apache.org/jira/browse/HBASE-11043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17110530#comment-17110530
]
Andrew Kyle Purtell commented on HBASE-11043:
-
bq. Make sensitive table attributes like data enpryption key protected and
exclude them if user has no CREATE or ADMIN privileges.
This works for the table attributes we know about, but not for user set
attributes which may or may not be sensitive. So, to be safe, we don't allow
schema to be viewed by credentials with less than CREATE or ADMIN level trust.
> Users with table's read/write permission can't get table's description
> --
>
> Key: HBASE-11043
> URL: https://issues.apache.org/jira/browse/HBASE-11043
> Project: HBase
> Issue Type: Bug
> Components: security
>Affects Versions: 0.99.0
>Reporter: Shaohui Liu
>Priority: Minor
> Attachments: HBASE-11043-trunk-v1.diff
>
>
> AccessController#preGetTableDescriptors only allow users with admin or create
> permission to get table's description.
> {quote}
> requirePermission("getTableDescriptors", nameAsBytes, null, null,
> Permission.Action.ADMIN, Permission.Action.CREATE);
> {quote}
> I think Users with table's read/write permission should also be able to get
> table's description.
> Eg: when create a hive table on HBase, hive will get the table description
> to check if the mapping is right. Usually the hive users only have the read
> permission of table.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-11043) Users with table's read/write permission can't get table's description
[
https://issues.apache.org/jira/browse/HBASE-11043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17110287#comment-17110287
]
Ruslan Sabitov commented on HBASE-11043:
User without CREATE permission can't get information about a table when running
describe command in the hbase shell. I think it's excessively to give
CREATE permission only for getting table info. Furthermore user can get this
information in HBase web UI.
I see two ways to solve this:
Make sensitive table attributes like data enpryption key protected and exclude
them if user has no CREATE or ADMIN privileges.
Forbid to store sensitive data in attributes and make warning about that in
the documentation.
> Users with table's read/write permission can't get table's description
> --
>
> Key: HBASE-11043
> URL: https://issues.apache.org/jira/browse/HBASE-11043
> Project: HBase
> Issue Type: Bug
> Components: security
>Affects Versions: 0.99.0
>Reporter: Shaohui Liu
>Priority: Minor
> Attachments: HBASE-11043-trunk-v1.diff
>
>
> AccessController#preGetTableDescriptors only allow users with admin or create
> permission to get table's description.
> {quote}
> requirePermission("getTableDescriptors", nameAsBytes, null, null,
> Permission.Action.ADMIN, Permission.Action.CREATE);
> {quote}
> I think Users with table's read/write permission should also be able to get
> table's description.
> Eg: when create a hive table on HBase, hive will get the table description
> to check if the mapping is right. Usually the hive users only have the read
> permission of table.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-11043) Users with table's read/write permission can't get table's description
[
https://issues.apache.org/jira/browse/HBASE-11043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13980555#comment-13980555
]
Andrew Purtell commented on HBASE-11043:
Your specific concern seems to be about querying HBase with Hive. I would point
to PHOENIX-946. Hive could offload HBase data source queries to Phoenix, which
is running as a coprocessor and maintains its own schema-to-raw-table mapping
behind a DDL facade that Hive could just use.
Users with table's read/write permission can't get table's description
--
Key: HBASE-11043
URL: https://issues.apache.org/jira/browse/HBASE-11043
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.99.0
Reporter: Liu Shaohui
Priority: Minor
Attachments: HBASE-11043-trunk-v1.diff
AccessController#preGetTableDescriptors only allow users with admin or create
permission to get table's description.
{quote}
requirePermission(getTableDescriptors, nameAsBytes, null, null,
Permission.Action.ADMIN, Permission.Action.CREATE);
{quote}
I think Users with table's read/write permission should also be able to get
table's description.
Eg: when create a hive table on HBase, hive will get the table description
to check if the mapping is right. Usually the hive users only have the read
permission of table.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HBASE-11043) Users with table's read/write permission can't get table's description
[
https://issues.apache.org/jira/browse/HBASE-11043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13977951#comment-13977951
]
Liu Shaohui commented on HBASE-11043:
-
[~jdcryans] [~apurtell]
I agree that hbase should restrict HTableDescriptor enumeration with HBASE-8692.
But My question is that why to restrict users with table's read/write
permission to get the table' description?
Usually, a user with table's read/write permission need to known somethings
about the table' description.
For example, hive on hbase need to get the table description to check if the
mapping is right, and usaully the hive user only have table read'permission.
see: HBaseStorageHandler.java
http://grepcode.com/file/repository.cloudera.com/content/repositories/releases/org.apache.hadoop.hive/hive-hbase-handler/0.7.1-cdh3u3b/org/apache/hadoop/hive/hbase/HBaseStorageHandler.java?av=h#184
Users with table's read/write permission can't get table's description
--
Key: HBASE-11043
URL: https://issues.apache.org/jira/browse/HBASE-11043
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.99.0
Reporter: Liu Shaohui
Priority: Minor
Attachments: HBASE-11043-trunk-v1.diff
AccessController#preGetTableDescriptors only allow users with admin or create
permission to get table's description.
{quote}
requirePermission(getTableDescriptors, nameAsBytes, null, null,
Permission.Action.ADMIN, Permission.Action.CREATE);
{quote}
I think Users with table's read/write permission should also be able to get
table's description.
Eg: when create a hive table on HBase, hive will get the table description
to check if the mapping is right. Usually the hive users only have the read
permission of table.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HBASE-11043) Users with table's read/write permission can't get table's description
[
https://issues.apache.org/jira/browse/HBASE-11043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13978340#comment-13978340
]
Andrew Purtell commented on HBASE-11043:
Because the metadata can carry arbitrary attributes, including such things as a
data encryption key, or something sensitive placed there by the admin or
application.
Users with table's read/write permission can't get table's description
--
Key: HBASE-11043
URL: https://issues.apache.org/jira/browse/HBASE-11043
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.99.0
Reporter: Liu Shaohui
Priority: Minor
Attachments: HBASE-11043-trunk-v1.diff
AccessController#preGetTableDescriptors only allow users with admin or create
permission to get table's description.
{quote}
requirePermission(getTableDescriptors, nameAsBytes, null, null,
Permission.Action.ADMIN, Permission.Action.CREATE);
{quote}
I think Users with table's read/write permission should also be able to get
table's description.
Eg: when create a hive table on HBase, hive will get the table description
to check if the mapping is right. Usually the hive users only have the read
permission of table.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HBASE-11043) Users with table's read/write permission can't get table's description
[
https://issues.apache.org/jira/browse/HBASE-11043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13979231#comment-13979231
]
Liu Shaohui commented on HBASE-11043:
-
[~apurtell]
Thanks for your patient explanation.
I worry about the this restriction will bring some incompatibility in other
systems that process data from HBase.
Users with table's read/write permission can't get table's description
--
Key: HBASE-11043
URL: https://issues.apache.org/jira/browse/HBASE-11043
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.99.0
Reporter: Liu Shaohui
Priority: Minor
Attachments: HBASE-11043-trunk-v1.diff
AccessController#preGetTableDescriptors only allow users with admin or create
permission to get table's description.
{quote}
requirePermission(getTableDescriptors, nameAsBytes, null, null,
Permission.Action.ADMIN, Permission.Action.CREATE);
{quote}
I think Users with table's read/write permission should also be able to get
table's description.
Eg: when create a hive table on HBase, hive will get the table description
to check if the mapping is right. Usually the hive users only have the read
permission of table.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HBASE-11043) Users with table's read/write permission can't get table's description
[
https://issues.apache.org/jira/browse/HBASE-11043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13975560#comment-13975560
]
Hadoop QA commented on HBASE-11043:
---
{color:green}+1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12641053/HBASE-11043-trunk-v1.diff
against trunk revision .
ATTACHMENT ID: 12641053
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 3 new
or modified tests.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any
warning messages.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 1.3.9) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 lineLengths{color}. The patch does not introduce lines
longer than 100
{color:green}+1 site{color}. The mvn site goal succeeds with this patch.
{color:green}+1 core tests{color}. The patch passed unit tests in .
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/9352//console
This message is automatically generated.
Users with table's read/write permission can't get table's description
--
Key: HBASE-11043
URL: https://issues.apache.org/jira/browse/HBASE-11043
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.99.0
Reporter: Liu Shaohui
Assignee: Liu Shaohui
Priority: Minor
Attachments: HBASE-11043-trunk-v1.diff
AccessController#preGetTableDescriptors only allow users with admin or create
permission to get table's description.
{quote}
requirePermission(getTableDescriptors, nameAsBytes, null, null,
Permission.Action.ADMIN, Permission.Action.CREATE);
{quote}
I think Users with table's read/write permission should also be able to get
table's description.
Eg: when create a hive table on HBase, hive will get the table description
to check if the mapping is right. Usually the hive users only have the read
permission of table.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HBASE-11043) Users with table's read/write permission can't get table's description
[
https://issues.apache.org/jira/browse/HBASE-11043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13976108#comment-13976108
]
Jean-Daniel Cryans commented on HBASE-11043:
It's this way because of HBASE-8692.
Users with table's read/write permission can't get table's description
--
Key: HBASE-11043
URL: https://issues.apache.org/jira/browse/HBASE-11043
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.99.0
Reporter: Liu Shaohui
Assignee: Liu Shaohui
Priority: Minor
Attachments: HBASE-11043-trunk-v1.diff
AccessController#preGetTableDescriptors only allow users with admin or create
permission to get table's description.
{quote}
requirePermission(getTableDescriptors, nameAsBytes, null, null,
Permission.Action.ADMIN, Permission.Action.CREATE);
{quote}
I think Users with table's read/write permission should also be able to get
table's description.
Eg: when create a hive table on HBase, hive will get the table description
to check if the mapping is right. Usually the hive users only have the read
permission of table.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (HBASE-11043) Users with table's read/write permission can't get table's description
[
https://issues.apache.org/jira/browse/HBASE-11043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13976224#comment-13976224
]
Andrew Purtell commented on HBASE-11043:
This is by design.
Users with table's read/write permission can't get table's description
--
Key: HBASE-11043
URL: https://issues.apache.org/jira/browse/HBASE-11043
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.99.0
Reporter: Liu Shaohui
Assignee: Liu Shaohui
Priority: Minor
Attachments: HBASE-11043-trunk-v1.diff
AccessController#preGetTableDescriptors only allow users with admin or create
permission to get table's description.
{quote}
requirePermission(getTableDescriptors, nameAsBytes, null, null,
Permission.Action.ADMIN, Permission.Action.CREATE);
{quote}
I think Users with table's read/write permission should also be able to get
table's description.
Eg: when create a hive table on HBase, hive will get the table description
to check if the mapping is right. Usually the hive users only have the read
permission of table.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
