Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-8692

[AccessController] Restrict HTableDescriptor enumeration

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.98.0, 0.95.1, 0.94.9
    • 0.98.0, 0.95.2, 0.94.10
    • Coprocessors, security
    • None
    • Hide
      This change adds support for restricting access to table schema. Only a user with GLOBAL ADMIN privilege can enumerate the full list of table schemas. If passed a list of specific tables, the AccessController will check that the user has either GLOBAL ADMIN privs, or TABLE ADMIN or TABLE CREATE privs for all of the listed tables before allowing the request.
      Show
      This change adds support for restricting access to table schema. Only a user with GLOBAL ADMIN privilege can enumerate the full list of table schemas. If passed a list of specific tables, the AccessController will check that the user has either GLOBAL ADMIN privs, or TABLE ADMIN or TABLE CREATE privs for all of the listed tables before allowing the request.

    Description

      Some users are concerned about having table schema exposed to every user and would like it protected, similar to the rest of the admin operations for schema.

      This used to be hopeless because META would leak HTableDescriptors in HRegionInfo, but that is no longer the case in 0.94+.

      Consider adding CP hooks in the master for intercepting HMasterInterface#getHTableDescriptors and HMasterInterface#getHTableDescriptors(List<String>). Add support in the AccessController for only allowing GLOBAL ADMIN to the first method. Add support in the AccessController for allowing access to the descriptors for the table names in the list of the second method only if the user has TABLE ADMIN privilege for all of the listed table names.

      Then, fix the code in HBaseAdmin (and elsewhere) that expects to be able to enumerate all table descriptors e.g. in deleteTable. A TABLE ADMIN can delete a table but won’t have GLOBAL ADMIN privilege to enumerate the total list. So a minor fixup is needed here, and in other places like this which make the same assumption.

      Attachments

        1. 8692-0.94.patch
          21 kB
          Andrew Kyle Purtell
        2. 8692-0.94.patch
          19 kB
          Andrew Kyle Purtell
        3. 8692-0.94.patch
          22 kB
          Andrew Kyle Purtell
        4. 8692-0.94.patch
          23 kB
          Andrew Kyle Purtell
        5. 8692.patch
          20 kB
          Andrew Kyle Purtell
        6. 8692.patch
          18 kB
          Andrew Kyle Purtell
        7. 8692.patch
          21 kB
          Andrew Kyle Purtell
        8. 8692.patch
          23 kB
          Andrew Kyle Purtell

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. HBASE-8799 TestAccessController#testBulkLoad failing on trunk/0.95

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. HBASE-9182 Allow non-admin users to list all table names

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. HBASE-11043 Users with table's read/write permission can't get table's description

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              apurtell Andrew Kyle Purtell
              apurtell Andrew Kyle Purtell
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: