[HBASE-22581] user with "CREATE" permission can grant, but not revoke permissions on created table - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.1, 2.1.5
Fix Version/s: 2.1.6
Component/s: security
Labels:
None

Hadoop Flags:

Reviewed

Description

A user that only has global or namespace "CREATE" permission can grant permissions to another user on its created table, but cannot revoke them.

This bug exists on branch-2.1, from 2.1.1

2.0, 2.1.0, master, and branch-2.2 are not effected.

The bug can be triggered via hbase shell:

#Start hbase shell as superuse 
#export HADOOP_USER_NAME=hbase 
hbase shell
grant 'regularUser1', 'C'
exit
#Run hbase shell as regularUser1
#grant, then revoke 'RX' permission to regularUser2
#export HADOOP_USER_NAME=regularUser1
hbase shell
create 'nunuke','nunuke'
grant 'regularUser2', 'RX', 'nunuke'
#This will fail on 2.1.1+
revoke 'regularUser2', 'nunuke'

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HBASE-22581.branch-2.1.001.patch
14/Jun/19 10:26
4 kB
Istvan Toth
HBASE-22581.master.001.patch
14/Jun/19 11:39
2 kB
Istvan Toth
HBASE-22581.branch-2.1.002.patch
14/Jun/19 19:50
4 kB
Istvan Toth
HBASE-22581.branch-2.1.003.patch
15/Jun/19 03:57
4 kB
Istvan Toth
HBASE-22581.branch-2.1.004.patch
15/Jun/19 17:17
4 kB
Istvan Toth
HBASE-22581.branch-2.1.005.patch
17/Jun/19 13:51
4 kB
Istvan Toth

Issue Links

Dependent

PHOENIX-5161 ChangePermissionsIT is failing in CDH6 branch

Resolved

is caused by

HBASE-21385 HTable.delete request use rpc call directly instead of AsyncProcess

Resolved

Activity

People

Assignee:: Istvan Toth

Reporter:: Istvan Toth

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 14/Jun/19 06:39

Updated:: 17/Jun/19 19:49

Resolved:: 17/Jun/19 16:01