[jira] [Commented] (HBASE-6253) isLegalTableName API should check for the _acl_ table name
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13398583#comment-13398583 ] Zhihong Ted Yu commented on HBASE-6253: --- Have you run all security related tests ? With this patch, how would _acl_ table be created on a clean cluster ? isLegalTableName API should check for the _acl_ table name -- Key: HBASE-6253 URL: https://issues.apache.org/jira/browse/HBASE-6253 Project: HBase Issue Type: Bug Affects Versions: 0.94.0 Reporter: Gopinathan A Fix For: 0.94.1 Attachments: HBASE-6253.patch Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check for the _acl_ table name
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13398649#comment-13398649 ] ramkrishna.s.vasudevan commented on HBASE-6253: --- @Ted {code} if (!MetaReader.tableExists(master.getCatalogTracker(), ACL_TABLE_NAME_STR)) { master.createTable(ACL_TABLEDESC, null); } {code} The acl creation goes thro' master.createTable. So it should be ok. isLegalTableName API should check for the _acl_ table name -- Key: HBASE-6253 URL: https://issues.apache.org/jira/browse/HBASE-6253 Project: HBase Issue Type: Bug Affects Versions: 0.94.0 Reporter: Gopinathan A Fix For: 0.94.1 Attachments: HBASE-6253.patch Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check for the _acl_ table name
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13398656#comment-13398656 ] Gopinathan A commented on HBASE-6253: - Sorry Ted.. I have not run the Security related tests. Your right acl table creation will be failed in this case :( My main intention to avoid user to perform disable/drop acl table. I think we can set setMetaFlags as true in HTableDescriptor constructor for _acl_ table also (like ROOT META). This will solve the table creation problem. isLegalTableName API should check for the _acl_ table name -- Key: HBASE-6253 URL: https://issues.apache.org/jira/browse/HBASE-6253 Project: HBase Issue Type: Bug Affects Versions: 0.94.0 Reporter: Gopinathan A Fix For: 0.94.1 Attachments: HBASE-6253.patch Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check for the _acl_ table name
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13398658#comment-13398658 ] Andrew Purtell commented on HBASE-6253: --- How can a user drop the ACL table if they are not authorized to do it? The string _acl_ as table name has no meaning unless the AccessController is installed. So -1 a core change that encodes it. isLegalTableName API should check for the _acl_ table name -- Key: HBASE-6253 URL: https://issues.apache.org/jira/browse/HBASE-6253 Project: HBase Issue Type: Bug Affects Versions: 0.94.0 Reporter: Gopinathan A Fix For: 0.94.1 Attachments: HBASE-6253.patch Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check for the _acl_ table name
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13398694#comment-13398694 ] Gopinathan A commented on HBASE-6253: - I felt even authorized user should not able to perform disable/drop operation. isLegalTableName API should check for the _acl_ table name -- Key: HBASE-6253 URL: https://issues.apache.org/jira/browse/HBASE-6253 Project: HBase Issue Type: Bug Affects Versions: 0.94.0 Reporter: Gopinathan A Fix For: 0.94.1 Attachments: HBASE-6253.patch Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check for the _acl_ table name
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13398695#comment-13398695 ] Andrew Purtell commented on HBASE-6253: --- -1 any core code change here. Protect against the drop in the AccessController. isLegalTableName API should check for the _acl_ table name -- Key: HBASE-6253 URL: https://issues.apache.org/jira/browse/HBASE-6253 Project: HBase Issue Type: Bug Affects Versions: 0.94.0 Reporter: Gopinathan A Fix For: 0.94.1 Attachments: HBASE-6253.patch Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6253) isLegalTableName API should check for the _acl_ table name
[ https://issues.apache.org/jira/browse/HBASE-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13399057#comment-13399057 ] Gopinathan A commented on HBASE-6253: - I agree with your point. I will rework on this patch. isLegalTableName API should check for the _acl_ table name -- Key: HBASE-6253 URL: https://issues.apache.org/jira/browse/HBASE-6253 Project: HBase Issue Type: Bug Affects Versions: 0.94.0 Reporter: Gopinathan A Fix For: 0.94.1 Attachments: HBASE-6253.patch Currently HTableDescriptor.isLegalTableName API doesn't check for the _acl_ table name, due to this user can able to disable/enable/drop/create the acl table. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira