Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-14809

Grant / revoke Namespace admin permission to group

    XMLWordPrintableJSON

Details

    • Reviewed

    Description

      Hi,

      We are looking to roll out HBase and are in the process to design the security model.
      We are looking to implement global DBAs and Namespace specific administrators.
      So for example the global dba would create a namespace and grant a user/group admin privileges within that ns.
      So that a given ns admin can in turn create objects and grant permission within the given ns only.

      We have run into some issues at the ns admin level. It appears that a ns admin can NOT grant to a grop unless it also has global admin privilege. But once it has global admin privilege it can grant in any NS not just the one where it has admin privileges.

      Based on the HBase documentation at http://hbase.apache.org/book.html#appendix_acl_matrix

      Table 13. ACL Matrix
      Interface Operation Permissions
      AccessController grant(global level) global(A)
      grant(namespace level) global(A)|NS(A)

      grant at a namespace level should be possible for someone with global A OR (|) NS A permission.
      As you will see in our test it does not work if NS A permission is granted but global A permission is not.

      Here you can see that group hbaseappltest_ns1admin has XCA permission on ns1. 

      hbase(main):011:0> scan 'hbase:acl' 
ROW COLUMN+CELL 
@ns1 column=l:@hbaseappltest_ns1admin, timestamp=1446676679787, value=XCA

      However:
      Here you can see that a user who is member of the group hbaseappltest_ns1admin can not grant a WRX privilege to a group as it is missing global A privilege. 

      $hbase shell 
15/11/13 10:02:23 INFO Configuration.deprecation: hadoop.native.lib is deprecated. Instead, use io.native.lib.available 
HBase Shell; enter 'help<RETURN>' for list of supported commands. 
Type "exit<RETURN>" to leave the HBase Shell 
Version 1.0.0-cdh5.4.7, rUnknown, Thu Sep 17 02:25:03 PDT 2015 

hbase(main):001:0> whoami 
ns1admin@WLAB.NET (auth:KERBEROS) 
groups: hbaseappltest_ns1admin 

hbase(main):002:0> grant '@hbaseappltest_ns1funct' ,'RWX','@ns1' 

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'ns1admin' (global, action=ADMIN)

      The way I read the documentation a NS admin should be able to grant as it has ns level A privilege not only object level permission.

      CDH is a version 5.4.7 and Hbase is version 1.0.

      Regards,
      Steven

      Attachments

        1. 14809-v1.txt
          0.8 kB
          Ted Yu
        2. 14809-v2.txt
          5 kB
          Ted Yu
        3. 14809-v3.txt
          7 kB
          Ted Yu
        4. 14809-v3.txt
          7 kB
          Ted Yu
        5. 14809-v4.txt
          9 kB
          Ted Yu

        Issue Links

          relates to

          Task - A task that needs to be done. HBASE-14870 Backport namespace permissions to 98 branch

          • Major - Major loss of function.
          • Closed

          Activity

            People

              yuzhihong@gmail.com Ted Yu
              shancz Steven Hancz
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: