Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-12536

Reduce the effective scope of GLOBAL CREATE and ADMIN permission

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.0, 0.94.24, 0.98.8, 0.99.2
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      This change removes implicit write access to the META and ACL tables for any user with GLOBAL CREATE or ADMIN privilege. Users with GLOBAL CREATE will not be able to elevate their privileges unexpectedly through direct access to the ACL table. A GLOBAL ADMIN will still correctly be allowed to grant themselves any desired privilege.
      Show
      This change removes implicit write access to the META and ACL tables for any user with GLOBAL CREATE or ADMIN privilege. Users with GLOBAL CREATE will not be able to elevate their privileges unexpectedly through direct access to the ACL table. A GLOBAL ADMIN will still correctly be allowed to grant themselves any desired privilege.

      Description

      The current implementation of the AccessController grants users with GLOBAL CREATE or ADMIN privilege implicit write access to the META and ACL tables, so when a new table is created new entries can be added to META and ACL appropriately in the pre and post handlers with the credentials supplied in the RPC context. Although any user with GLOBAL CREATE or ADMIN is already superuser-like in many respects, the implicit write privilege is an artifact of implementation that should be changed. We can remove the implicit write access. After doing so, users with GLOBAL CREATE will not be able to elevate their privileges unexpectedly through direct access to the ACL table. A GLOBAL ADMIN will be still correctly be allowed to grant themselves any desired privilege.

      This issue was discovered and raised by Devaraj Das on private@hbase as a potential security issue and was included in the 0.94.24 and 0.98.8 releases prior to the filing of this JIRA.

      I've set the priority of this issue only at 'Major' since it only affects users with GLOBAL CREATE or ADMIN privilege. GLOBAL ADMIN is already a superuser, and GLOBAL CREATE likewise should already also be considered superuser-lite access and sparingly granted to trusted personnel.

      1. HBASE-12536-0.98.patch
        21 kB
        Andrew Purtell
      2. HBASE-12536-0.94.patch
        19 kB
        Andrew Purtell
      3. HBASE-12536.patch
        20 kB
        Andrew Purtell

        Issue Links

          Activity

          Hide
          busbey Sean Busbey added a comment -

          Since we can't rewrite to add a jira # without being very disruptive, adding links to the commits that implement this fix.

          Show
          busbey Sean Busbey added a comment - Since we can't rewrite to add a jira # without being very disruptive, adding links to the commits that implement this fix.
          Hide
          enis Enis Soztutar added a comment -

          Closing this issue after 0.99.2 release.

          Show
          enis Enis Soztutar added a comment - Closing this issue after 0.99.2 release.

            People

            • Assignee:
              apurtell Andrew Purtell
              Reporter:
              apurtell Andrew Purtell
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development