[HBASE-8409] Security support for namespaces - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.98.0, 0.95.2
Component/s: None
Labels:
None

Hadoop Flags:

Reviewed
Release Note:

Hide
This patch introduces security privileges to create, alter or drop namespaces. When security is enabled only global admin is allowed to do such operations. Richer namespace privileges will be introduced in ~~HBASE-9206~~.

Show
This patch introduces security privileges to create, alter or drop namespaces. When security is enabled only global admin is allowed to do such operations. Richer namespace privileges will be introduced in HBASE-9206 .

Description

This task adds the security piece to the namespace feature. The work related to migration of the existing acl table to the new namespace is remaining and will be completed in the follow up patch. Permissions can be granted to a namespace by the hbase admin, by appending '@' to the namespace name. A user with write or admin permissions on a given namespace can create tables in that namespace. The other privileges (R, X, C ) do not have any special meaning w.r.t namespaces. Any users of hbase can list tables in a namespace.

The following commands can only be executed by HBase admins.
1. Grant privileges for user on Namespace.
2. Revoke privileges for user on Namespace

Grant Command:
hbase> grant 'tenant-A' 'W' '@N1'
In the above example, the command will grant the user 'tenant-A' write privileges for a namespace named "N1".

Revoke Command:

hbase> revoke 'tenant-A''@N1'
In the above example, the command will revoke all privileges from user 'tenant-A' for namespace named "N1".

Lets see an example on how privileges work with namespaces.

User "Mike" request for a namespace named "hbase_perf" with the hbase admin.
whoami: hbase
hbase shell >> namespace_create 'hbase_perf'
hbase shell >> grant 'mike', 'W', '@hbase_perf'
Mike creates two tables "table20" and "table50" in the above workspace.
whoami: mike
hbase shell >> create 'hbase_perf.table20', 'family1'
hbase shell >> create 'hbase_perf.table50', 'family1'

Note: As Mike was able to create tables 'hbase_perf.table20', 'hbase_perf.table50', he becomes the owner of those tables.
This means he has "RWXCA" perms on those tables.
Another team member of Mike, Alice wants also to share the same workspace "hbase_perf". HBase admin grants Alice also permission to create tables in "hbase_perf" namespace.
whoami: hbase
hbase shell >> grant 'alice', 'W', '@hbase_perf'
Now Alice can create new tables under "hbase_perf" namespace, but cannot read,write,alter,delete existing tables in the namespace.

whoami: alice
hbase shell >> namespace_list_tables 'hbase_perf'
hbase_perf.table20
hbase_perf.table50
hbase shell >> scan 'hbase_perf.table20'
AccessDeniedException

If Alice wants to read or write to existing tables in the "hbase_perf" namespace, hbase admins need to explicitly grant permission.

whoami: hbase
hbase shell >> grant 'alice', 'RW', 'hbase_perf.table20'
hbase shell >> grant 'alice', 'RW', 'hbase_perf.table50'

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

8409_095.txt
13/Aug/13 22:01
370 kB
Michael Stack
8409-addendum.patch
19/Aug/13 22:55
9 kB
Devaraj Das
HBASE-8049_trunk.patch
21/Jun/13 00:44
32 kB
Vandana Ayyalasomayajula
HBASE-8409_2.patch
11/Aug/13 10:49
393 kB
Francis Christopher Liu
HBASE-8409_3.patch
12/Aug/13 03:51
395 kB
Francis Christopher Liu
HBASE-8409_4.patch
13/Aug/13 16:38
394 kB
Francis Christopher Liu
TestNamespaceUpgrade.tgz
11/Aug/13 10:49
10 kB
Francis Christopher Liu

Issue Links

is related to

HBASE-9124 _acl_ table should be migrated to system namespace

Closed

Activity

People

Assignee:: Vandana Ayyalasomayajula

Reporter:: Francis Christopher Liu

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 23/Apr/13 23:18

Updated:: 29/Mar/16 20:19

Resolved:: 13/Aug/13 22:02