[
https://issues.apache.org/jira/browse/HBASE-11886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14120427#comment-14120427
]
Anoop Sam John edited comment on HBASE-11886 at 9/3/14 8:51 PM:
----------------------------------------------------------------
bq.Since the master does HDFS operations when operations like createTable are
called, it might be an issue, no?
I think no issue. Because the op will be performed with master identity only.
RequestContext is used to know who is the active user. RequestContext is HBase
class and in HDFS we will be getting the user not from this. By a change in
RequestContext ThreadLocal, we make sure in the flow wherever in HBase code, we
check for the user from RequestContext , it is the RPC user who initiated the
flow.
Am ok not to do this change if there is a risk factor and need more time for
tests. Andy would like to get the next RC soon I believe.
+1 with just changing the part of getting activeUser from
RequestContext.(instead UserProvider.instantiate(conf).getCurrent()) Mind
adding a comment why we do this so that it will be easy for some one who read
the code later.
was (Author: anoop.hbase):
bq.Since the master does HDFS operations when operations like createTable are
called, it might be an issue, no?
I think no issue. Because the op will be performed with master identity only.
RequestContext is used to know who is the active user. RequestContext is HBase
class and in HDFS we will be getting the user not from this. By a change in
RequestContext ThreadLocal, we make sure in the flow wherever in HBase code, we
check for the user from RequestContext , it is the RPC user who initiated the
flow.
Am ok not to do this change if there is a risk factor and need more time for
tests. Andy would like to get the next RC soon I believe.
+1 with just changing the part of getting activeUser from RequestContext.
Mind adding a comment why we do this so that it will be easy for some one who
read the code later.
> The creator of the table should have all permissions on the table
> -----------------------------------------------------------------
>
> Key: HBASE-11886
> URL: https://issues.apache.org/jira/browse/HBASE-11886
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.98.3
> Reporter: Devaraj Das
> Assignee: Devaraj Das
> Priority: Critical
> Fix For: 0.99.0, 2.0.0, 0.98.6
>
> Attachments: 11886-1.txt
>
>
> In our testing of 0.98.4 with security ON, we found that table creator
> doesn't have RWXCA on the created table. Instead, the user representing the
> HBase daemon gets all permissions. Due to this the table creator can't write
> to the table he just created. I am suspecting HBASE-11275 introduced the
> problem.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
