Granting and revoking RW permission to a user defined table works fine. Granting and revoking RW permission to .META. and -ROOT- don't work, but this makes sense bc users aren't suppose to modify these tables.(only reads are allowed)
Granting and revoking RW permission to _acl_ don't work. why? (I wan't specific user like Admin to control the ACL) I'm running a client code with a user "Ben". and here's what i did... - First, doing a scan on _acl_ worked without any permission settings. - Then, from the hbase command line, I granted RW permission on _acl_ table to "Ben", scanning from the client worked again. - Now, I revoked RW permission on _acl_ table of "Ben", now scanning from the client didn't work. - So, I re-granted RW permission on _acl_ table of "Ben", scanning doesn't work. :( also granting permissions to _acl_, doesn't seem to effect the output of the user_permission. user_permission '_acl_' always prints empty result. BTW, I'm running hbase-0.94.0 on a single machine Ben On Mon, Jun 4, 2012 at 5:23 PM, Andrew Purtell <[email protected]> wrote: > There are shell commands available for managing ACLs: grant, revoke, and > user_permission. Use these. > > - Andy > > On Monday, June 4, 2012, Anoop Sam John wrote: > > > Hi > > > > >it's sort of funny that I can still access the -ROOT- & .META. tables > > >without permissions. Do you think this is a bug? or am I doing something > > >wrong? > > No. The catalog tables are given with read permission for every one as > > the client scans these tables in Put/Scan cases for other tables. > > > > You can use grant() and remove() functions provided in AccessController > > for controlling the users and admins etc. > > > > -Anoop- > > ________________________________________ > > From: Ben Kim [[email protected] <javascript:;>] > > Sent: Monday, June 04, 2012 11:53 AM > > To: [email protected] <javascript:;> > > Subject: accessing _acl_ from hbase client > > > > Is there any way a client can access the _acl_ table? > > I want an administrator to be able to control the user access to all > > tables. > > In order to do this I'll need to access the _acl_ table from the HBase > > client. > > I'm thinking of something like Mysql user table which has all access > > permissions to tables. > > > > I already tried giving _acl_ access permission to the Admin user, (grant > > 'Admin', 'RW', '_acl_') > > but scanning through the _acl_ table with Admin user wasn't allowed. > > > > it's sort of funny that I can still access the -ROOT- & .META. tables > > without permissions. Do you think this is a bug? or am I doing something > > wrong? > > > > Thank you in advance. > > -- > > > > *Benjamin Kim* > > *benkimkimben at gmail* > > > > > -- > Best regards, > > - Andy > > Problems worthy of attack prove their worth by hitting back. - Piet Hein > (via Tom White) > -- *Benjamin Kim* **Mo : +82 10.5357.0521* benkimkimben at gmail*
