HBase
  1. HBase
  2. HBASE-11043

Users with table's read/write permission can't get table's description

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Not A Problem
    • Affects Version/s: 0.99.0
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      AccessController#preGetTableDescriptors only allow users with admin or create permission to get table's description.

      requirePermission("getTableDescriptors", nameAsBytes, null, null,
      Permission.Action.ADMIN, Permission.Action.CREATE);

      I think Users with table's read/write permission should also be able to get table's description.

      Eg: when create a hive table on HBase, hive will get the table description to check if the mapping is right. Usually the hive users only have the read permission of table.

        Issue Links

          Activity

          Liu Shaohui created issue -
          Hide
          Liu Shaohui added a comment -

          Patch for trunk

          Show
          Liu Shaohui added a comment - Patch for trunk
          Liu Shaohui made changes -
          Field Original Value New Value
          Attachment HBASE-11043-trunk-v1.diff [ 12641053 ]
          Liu Shaohui made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12641053/HBASE-11043-trunk-v1.diff
          against trunk revision .
          ATTACHMENT ID: 12641053

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 lineLengths. The patch does not introduce lines longer than 100

          +1 site. The mvn site goal succeeds with this patch.

          +1 core tests. The patch passed unit tests in .

          Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
          Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12641053/HBASE-11043-trunk-v1.diff against trunk revision . ATTACHMENT ID: 12641053 +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 3 new or modified tests. +1 javadoc . The javadoc tool did not generate any warning messages. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 lineLengths . The patch does not introduce lines longer than 100 +1 site . The mvn site goal succeeds with this patch. +1 core tests . The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/9352//console This message is automatically generated.
          Hide
          Jean-Daniel Cryans added a comment -

          It's this way because of HBASE-8692.

          Show
          Jean-Daniel Cryans added a comment - It's this way because of HBASE-8692 .
          Hide
          Andrew Purtell added a comment -

          This is by design.

          Show
          Andrew Purtell added a comment - This is by design.
          Andrew Purtell made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Assignee Liu Shaohui [ liushaohui ]
          Resolution Not a Problem [ 8 ]
          Hide
          Liu Shaohui added a comment -

          Jean-Daniel Cryans Andrew Purtell
          I agree that hbase should restrict HTableDescriptor enumeration with HBASE-8692.

          But My question is that why to restrict users with table's read/write permission to get the table' description?

          Usually, a user with table's read/write permission need to known somethings about the table' description.
          For example, hive on hbase need to get the table description to check if the mapping is right, and usaully the hive user only have table read'permission.

          see: HBaseStorageHandler.java http://grepcode.com/file/repository.cloudera.com/content/repositories/releases/org.apache.hadoop.hive/hive-hbase-handler/0.7.1-cdh3u3b/org/apache/hadoop/hive/hbase/HBaseStorageHandler.java?av=h#184

          Show
          Liu Shaohui added a comment - Jean-Daniel Cryans Andrew Purtell I agree that hbase should restrict HTableDescriptor enumeration with HBASE-8692 . But My question is that why to restrict users with table's read/write permission to get the table' description? Usually, a user with table's read/write permission need to known somethings about the table' description. For example, hive on hbase need to get the table description to check if the mapping is right, and usaully the hive user only have table read'permission. see: HBaseStorageHandler.java http://grepcode.com/file/repository.cloudera.com/content/repositories/releases/org.apache.hadoop.hive/hive-hbase-handler/0.7.1-cdh3u3b/org/apache/hadoop/hive/hbase/HBaseStorageHandler.java?av=h#184
          Hide
          Andrew Purtell added a comment -

          Because the metadata can carry arbitrary attributes, including such things as a data encryption key, or something sensitive placed there by the admin or application.

          Show
          Andrew Purtell added a comment - Because the metadata can carry arbitrary attributes, including such things as a data encryption key, or something sensitive placed there by the admin or application.
          Hide
          Liu Shaohui added a comment -

          Andrew Purtell
          Thanks for your patient explanation.
          I worry about the this restriction will bring some incompatibility in other systems that process data from HBase.

          Show
          Liu Shaohui added a comment - Andrew Purtell Thanks for your patient explanation. I worry about the this restriction will bring some incompatibility in other systems that process data from HBase.
          Hide
          Andrew Purtell added a comment -

          Your specific concern seems to be about querying HBase with Hive. I would point to PHOENIX-946. Hive could offload HBase data source queries to Phoenix, which is running as a coprocessor and maintains its own schema-to-raw-table mapping behind a DDL facade that Hive could just use.

          Show
          Andrew Purtell added a comment - Your specific concern seems to be about querying HBase with Hive. I would point to PHOENIX-946 . Hive could offload HBase data source queries to Phoenix, which is running as a coprocessor and maintains its own schema-to-raw-table mapping behind a DDL facade that Hive could just use.
          Andrew Purtell made changes -
          Link This issue is related to PHOENIX-946 [ PHOENIX-946 ]
          Andrew Purtell made changes -
          Link This issue is related to HBASE-8692 [ HBASE-8692 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Patch Available Patch Available
          1h 36m 1 Liu Shaohui 21/Apr/14 12:24
          Patch Available Patch Available Resolved Resolved
          12h 55m 1 Andrew Purtell 22/Apr/14 01:19

            People

            • Assignee:
              Unassigned
              Reporter:
              Liu Shaohui
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development