We are looking to roll out HBase and are in the process to design the security model.
We are looking to implement global DBAs and Namespace specific administrators.
So for example the global dba would create a namespace and grant a user/group admin privileges within that ns.
So that a given ns admin can in turn create objects and grant permission within the given ns only.
We have run into some issues at the ns admin level. It appears that a ns admin can NOT grant to a grop unless it also has global admin privilege. But once it has global admin privilege it can grant in any NS not just the one where it has admin privileges.
Based on the HBase documentation at http://hbase.apache.org/book.html#appendix_acl_matrix
Table 13. ACL Matrix
Interface Operation Permissions
AccessController grant(global level) global(A)
grant(namespace level) global(A)|NS(A)
grant at a namespace level should be possible for someone with global A OR (|) NS A permission.
As you will see in our test it does not work if NS A permission is granted but global A permission is not.
Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1.
Here you can see that a user who is member of the group hbaseappltest_ns1admin can not grant a WRX privilege to a group as it is missing global A privilege.
The way I read the documentation a NS admin should be able to grant as it has ns level A privilege not only object level permission.
CDH is a version 5.4.7 and Hbase is version 1.0.