Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-14818

user_permission does not list namespace permissions

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 1.2.0
    • 1.3.0, 1.2.2, 0.98.20, 2.0.0
    • None
    • None
    • Reviewed

    Description

      The user_permission command does not list namespace permissions:

      For example: if I create a new namespace or use an existing namespace and grant a user privileges to that namespace, the command user_permission does not list it. The permission is visible in the acl table.

      Example:
      hbase(main):005:0> create_namespace 'ns3'
      0 row(s) in 0.1640 seconds
      hbase(main):007:0> grant 'test_user','RWXAC','@ns3'
      0 row(s) in 0.5680 seconds
      hbase(main):008:0> user_permission '.*'
      User Namespace,Table,Family,Qualifier:Permission
      sh82993 finance,finance:emp,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
      @hbaseglobaldba hbase,hbase:acl,,: [Permission: actions=EXEC,CREATE,ADMIN]
      @hbaseglobaloper hbase,hbase:acl,,: [Permission: actions=EXEC,ADMIN]
      hdfs hbase,hbase:acl,,: [Permission: actions=READ,WRITE,CREATE,ADMIN,EXEC]
      sh82993 ns1,ns1:tbl1,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
      ns1admin ns1,ns1:tbl2,,: [Permission: actions=EXEC,CREATE,ADMIN]
      @hbaseappltest_ns1funct ns1,ns1:tbl2,,: [Permission: actions=READ,WRITE,EXEC]
      ns1funct ns1,ns1:tbl2,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
      hbase ns2,ns2:tbl1,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
      9 row(s) in 1.8090 seconds

      As you can see user test_user does not appear in the output, but we can see the permission in the ACL table.

      hbase(main):001:0> scan 'hbase:acl'
      ROW COLUMN+CELL
      @finance column=l:sh82993, timestamp=1444405519510, value=RWXCA
      @gcbcppdn column=l:hdfs, timestamp=1446141119602, value=RWCXA
      @hbase column=l:hdfs, timestamp=1446141485136, value=RWCAX
      @ns1 column=l:@hbaseappltest_ns1admin, timestamp=1447437007467, value=RWXCA
      @ns1 column=l:@hbaseappltest_ns1funct, timestamp=1447427366835, value=RWX
      @ns2 column=l:@hbaseappltest_ns2admin, timestamp=1446674470456, value=XCA
      @ns2 column=l:test_user, timestamp=1447692840030, value=RWAC
      @ns3 column=l:test_user, timestamp=1447692860434, value=RWXAC
      finance:emp column=l:sh82993, timestamp=1444407723316, value=RWXCA
      hbase:acl column=l:@hbaseglobaldba, timestamp=1446590375370, value=XCA
      hbase:acl column=l:@hbaseglobaloper, timestamp=1446590387965, value=XA
      hbase:acl column=l:hdfs, timestamp=1446141737213, value=RWCAX
      ns1:tbl1 column=l:sh82993, timestamp=1446674153058, value=RWXCA
      ns1:tbl2 column=l:@hbaseappltest_ns1funct, timestamp=1447183824580, value=RWX
      ns1:tbl2 column=l:ns1admin, timestamp=1447183766370, value=XCA
      ns1:tbl2 column=l:ns1funct, timestamp=1447184077545, value=RWXCA
      ns2:tbl1 column=l:hbase, timestamp=1447182228314, value=RWXCA
      11 row(s) in 0.4990 seconds

      It would be nice to be able to see namespace permissions via the user_permission '.*' command as scanning the acl table is not the recommended way to view object permissions. Especially if one is looking to access base via a shell and collect ACL information.

      Steven

      Attachments

        1. HBASE-14818-1.2-v4.patch
          6 kB
          Xiang Li
        2. HBASE-14818-master-v3.patch
          3 kB
          Xiang Li
        3. HBASE-14818-master-v4.patch
          6 kB
          Xiang Li
        4. HBASE-14818-v0.patch
          2 kB
          Xiang Li
        5. HBASE-14818-v1.patch
          2 kB
          Xiang Li
        6. HBASE-14818-v2.patch
          3 kB
          Xiang Li

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            xiangli Xiang Li
            shancz Steven Hancz
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment