HBase
  1. HBase
  2. HBASE-10834

Better error messaging on issuing grant commands in non-authz mode

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Trivial Trivial
    • Resolution: Fixed
    • Affects Version/s: 0.94.17
    • Fix Version/s: 0.94.23
    • Component/s: shell
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Running the below sequence of steps should give a better error messaging rather than "table not found" error.

      hbase(main):009:0> grant "test", "RWCXA"
      
      ERROR: Unknown table _acl_!
      
      Here is some help for this command:
      Grant users specific rights.
      Syntax : grant <user> <permissions> [<table> [<column family> [<column qualifier>]]
      
      permissions is either zero or more letters from the set "RWXCA".
      READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A')
      
      For example:
      
          hbase> grant 'bobsmith', 'RWXCA'
          hbase> grant 'bobsmith', 'RW', 't1', 'f1', 'col1'
      

      Instead of ERROR: Unknown table acl!, hbase should give out a warning like "Command not supported in non-authz mode(as acl table is only created if authz is turned on)"

      1. HBASE-10834.patch
        1 kB
        Srikanth Srungarapu
      2. HBASE-10834_v2.patch
        2 kB
        Srikanth Srungarapu
      3. HBASE-10834_v3.patch
        0.9 kB
        Srikanth Srungarapu
      4. HBASE-10834_v4.patch
        0.5 kB
        Srikanth Srungarapu

        Activity

        Hide
        Hudson added a comment -

        SUCCESS: Integrated in HBase-0.94-security #511 (See https://builds.apache.org/job/HBase-0.94-security/511/)
        HBASE-10834 Better error messaging on issuing grant commands in non-authz mode (Srikanth Srungarapu) (jxiang: rev dfcf767ae21548f65851044440381dd72e4cccf2)

        • src/main/ruby/hbase/security.rb
        Show
        Hudson added a comment - SUCCESS: Integrated in HBase-0.94-security #511 (See https://builds.apache.org/job/HBase-0.94-security/511/ ) HBASE-10834 Better error messaging on issuing grant commands in non-authz mode (Srikanth Srungarapu) (jxiang: rev dfcf767ae21548f65851044440381dd72e4cccf2) src/main/ruby/hbase/security.rb
        Hide
        Hudson added a comment -

        SUCCESS: Integrated in HBase-0.94-JDK7 #170 (See https://builds.apache.org/job/HBase-0.94-JDK7/170/)
        HBASE-10834 Better error messaging on issuing grant commands in non-authz mode (Srikanth Srungarapu) (jxiang: rev dfcf767ae21548f65851044440381dd72e4cccf2)

        • src/main/ruby/hbase/security.rb
        Show
        Hudson added a comment - SUCCESS: Integrated in HBase-0.94-JDK7 #170 (See https://builds.apache.org/job/HBase-0.94-JDK7/170/ ) HBASE-10834 Better error messaging on issuing grant commands in non-authz mode (Srikanth Srungarapu) (jxiang: rev dfcf767ae21548f65851044440381dd72e4cccf2) src/main/ruby/hbase/security.rb
        Hide
        Hudson added a comment -

        FAILURE: Integrated in HBase-0.94 #1401 (See https://builds.apache.org/job/HBase-0.94/1401/)
        HBASE-10834 Better error messaging on issuing grant commands in non-authz mode (Srikanth Srungarapu) (jxiang: rev dfcf767ae21548f65851044440381dd72e4cccf2)

        • src/main/ruby/hbase/security.rb
        Show
        Hudson added a comment - FAILURE: Integrated in HBase-0.94 #1401 (See https://builds.apache.org/job/HBase-0.94/1401/ ) HBASE-10834 Better error messaging on issuing grant commands in non-authz mode (Srikanth Srungarapu) (jxiang: rev dfcf767ae21548f65851044440381dd72e4cccf2) src/main/ruby/hbase/security.rb
        Hide
        Jimmy Xiang added a comment -

        Integrated into 0.94. Thanks Srikanth for the patch.

        Show
        Jimmy Xiang added a comment - Integrated into 0.94. Thanks Srikanth for the patch.
        Hide
        Srikanth Srungarapu added a comment -

        Tested the patch on the secure cluster. The output:

        hbase(main):003:0> grant "test", "RWCXA"
        0 row(s) in 0.3920 seconds
        

        The output on non-secure cluster is as follows:

        hbase(main):002:0> grant "test", "RWXCA"
        
        ERROR: Command not supported as authorization is turned off 
        
        Show
        Srikanth Srungarapu added a comment - Tested the patch on the secure cluster. The output: hbase(main):003:0> grant "test" , "RWCXA" 0 row(s) in 0.3920 seconds The output on non-secure cluster is as follows: hbase(main):002:0> grant "test" , "RWXCA" ERROR: Command not supported as authorization is turned off
        Hide
        Jimmy Xiang added a comment -

        v4 looks good to me. +1

        Show
        Jimmy Xiang added a comment - v4 looks good to me. +1
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12661313/HBASE-10834_v4.patch
        against trunk revision .
        ATTACHMENT ID: 12661313

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        -1 patch. The patch command could not apply the patch.

        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/10404//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12661313/HBASE-10834_v4.patch against trunk revision . ATTACHMENT ID: 12661313 +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 patch . The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/10404//console This message is automatically generated.
        Hide
        Srikanth Srungarapu added a comment -

        Attaching updated patch as per suggestions.

        Show
        Srikanth Srungarapu added a comment - Attaching updated patch as per suggestions.
        Hide
        Jimmy Xiang added a comment -

        It seems there is an extra "end". Do you need a "\" to combine the two lines?

        Show
        Jimmy Xiang added a comment - It seems there is an extra "end". Do you need a "\" to combine the two lines?
        Hide
        Srikanth Srungarapu added a comment -

        Yes, this is only for 0.94 as this check is already enforced in 0.98. Please find more details about the patch below:

        Show
        Srikanth Srungarapu added a comment - Yes, this is only for 0.94 as this check is already enforced in 0.98. Please find more details about the patch below: Copied the https://github.com/apache/hbase/blob/0.98/hbase-shell/src/main/ruby/hbase/security.rb#L202 (0.98 branch) and incorporated it into 0.94 branch. All it does is ask the server if the acl table exists. If the server responds no such table exists, it throws an error saying authorization is turned off.
        Hide
        Jimmy Xiang added a comment -

        This patch is for 0.94. We don't have the issue for 0.98+, right? Does v3 solve the problem?

        Show
        Jimmy Xiang added a comment - This patch is for 0.94. We don't have the issue for 0.98+, right? Does v3 solve the problem?
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12658772/HBASE-10834_v3.patch
        against trunk revision .
        ATTACHMENT ID: 12658772

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        -1 patch. The patch command could not apply the patch.

        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/10234//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12658772/HBASE-10834_v3.patch against trunk revision . ATTACHMENT ID: 12658772 +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 patch . The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/10234//console This message is automatically generated.
        Hide
        Srikanth Srungarapu added a comment -

        Sorry for overlooking the case where authorization is turned on. Made changes to the patch, which now issues the error message, after ensuring that no acl table exists.

        Show
        Srikanth Srungarapu added a comment - Sorry for overlooking the case where authorization is turned on. Made changes to the patch, which now issues the error message, after ensuring that no acl table exists.
        Hide
        Jimmy Xiang added a comment -

        Is it possible that the cluster has authorization on, but the grant command fails due to some other reason, for example, the cluster is down?

        Show
        Jimmy Xiang added a comment - Is it possible that the cluster has authorization on, but the grant command fails due to some other reason, for example, the cluster is down?
        Hide
        Srikanth Srungarapu added a comment -

        Jimmy Xiang The table acl gets accessed as part of authorization coprocessor classes, so I couldn't really see any other reason for acl to get accessed when authorization is turned off.

        Show
        Srikanth Srungarapu added a comment - Jimmy Xiang The table acl gets accessed as part of authorization coprocessor classes, so I couldn't really see any other reason for acl to get accessed when authorization is turned off.
        Hide
        Jimmy Xiang added a comment -

        Could there be reasons other than the authentication is not on?

        Show
        Jimmy Xiang added a comment - Could there be reasons other than the authentication is not on?
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12649479/HBASE-10834_v2.patch
        against trunk revision .
        ATTACHMENT ID: 12649479

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        -1 patch. The patch command could not apply the patch.

        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/9729//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12649479/HBASE-10834_v2.patch against trunk revision . ATTACHMENT ID: 12649479 +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 patch . The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/9729//console This message is automatically generated.
        Hide
        Srikanth Srungarapu added a comment -

        Changed the error message to get rid of non-authz term.

        Show
        Srikanth Srungarapu added a comment - Changed the error message to get rid of non-authz term.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12637015/HBASE-10834.patch
        against trunk revision .
        ATTACHMENT ID: 12637015

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        -1 patch. The patch command could not apply the patch.

        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/9720//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12637015/HBASE-10834.patch against trunk revision . ATTACHMENT ID: 12637015 +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 patch . The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/9720//console This message is automatically generated.
        Hide
        Andrew Purtell added a comment -

        "authz" is a shorthand security heads use and "non-athz" isn't a word. Fix that and this patch would be fine.

        Show
        Andrew Purtell added a comment - "authz" is a shorthand security heads use and "non-athz" isn't a word. Fix that and this patch would be fine.
        Hide
        Srikanth Srungarapu added a comment -

        Verified the patch locally.

        Show
        Srikanth Srungarapu added a comment - Verified the patch locally.

          People

          • Assignee:
            Srikanth Srungarapu
            Reporter:
            Srikanth Srungarapu
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development