You need to pretend like the _acl_ table does not exist. It is an
implementation detail. It's like META and ROOT, another system table.
Currently only the superuser can run the grant and revoke commands. This is a
principal that can be configured with the property hbase.superuser but is by
default the service principal under which the HBase daemons are running. This
is by design. However in a future version of the AccessController it is likely
the ADMIN permission will be grantable for delegating grant and revoke
permissions to other users on a global or per table basis.
- Andy
On Jun 4, 2012, at 11:17 AM, Ben Kim <[email protected]> wrote:
> Granting and revoking RW permission to a user defined table works fine.
>
> Granting and revoking RW permission to .META. and -ROOT- don't work, but
> this makes sense bc users aren't suppose to modify these tables.(only reads
> are allowed)
>
> Granting and revoking RW permission to _acl_ don't work. why? (I wan't
> specific user like Admin to control the ACL)
>
> I'm running a client code with a user "Ben". and here's what i did...
>
> - First, doing a scan on _acl_ worked without any permission settings.
> - Then, from the hbase command line, I granted RW permission on _acl_
> table to "Ben", scanning from the client worked again.
> - Now, I revoked RW permission on _acl_ table of "Ben", now scanning
> from the client didn't work.
> - So, I re-granted RW permission on _acl_ table of "Ben", scanning
> doesn't work. :(
>
> also granting permissions to _acl_, doesn't seem to effect the output of
> the user_permission.
>
> user_permission '_acl_' always prints empty result.
>
>
> BTW, I'm running hbase-0.94.0 on a single machine
>
>
> Ben
>
> On Mon, Jun 4, 2012 at 5:23 PM, Andrew Purtell <[email protected]> wrote:
>
>> There are shell commands available for managing ACLs: grant, revoke, and
>> user_permission. Use these.
>>
>> - Andy
>>
>> On Monday, June 4, 2012, Anoop Sam John wrote:
>>
>>> Hi
>>>
>>>> it's sort of funny that I can still access the -ROOT- & .META. tables
>>>> without permissions. Do you think this is a bug? or am I doing something
>>>> wrong?
>>> No. The catalog tables are given with read permission for every one as
>>> the client scans these tables in Put/Scan cases for other tables.
>>>
>>> You can use grant() and remove() functions provided in AccessController
>>> for controlling the users and admins etc.
>>>
>>> -Anoop-
>>> ________________________________________
>>> From: Ben Kim [[email protected] <javascript:;>]
>>> Sent: Monday, June 04, 2012 11:53 AM
>>> To: [email protected] <javascript:;>
>>> Subject: accessing _acl_ from hbase client
>>>
>>> Is there any way a client can access the _acl_ table?
>>> I want an administrator to be able to control the user access to all
>>> tables.
>>> In order to do this I'll need to access the _acl_ table from the HBase
>>> client.
>>> I'm thinking of something like Mysql user table which has all access
>>> permissions to tables.
>>>
>>> I already tried giving _acl_ access permission to the Admin user, (grant
>>> 'Admin', 'RW', '_acl_')
>>> but scanning through the _acl_ table with Admin user wasn't allowed.
>>>
>>> it's sort of funny that I can still access the -ROOT- & .META. tables
>>> without permissions. Do you think this is a bug? or am I doing something
>>> wrong?
>>>
>>> Thank you in advance.
>>> --
>>>
>>> *Benjamin Kim*
>>> *benkimkimben at gmail*
>>>
>>
>>
>> --
>> Best regards,
>>
>> - Andy
>>
>> Problems worthy of attack prove their worth by hitting back. - Piet Hein
>> (via Tom White)
>>
>
>
>
> --
>
> *Benjamin Kim*
> **Mo : +82 10.5357.0521*
> benkimkimben at gmail*
