Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
0.4.0
-
None
-
None
Description
Consider the following series of hbase shell commands
disable 'tab1' drop 'tab1' create 'tab1', 'fam1', 'fam2', 'fam3' put 'tab1', 'row1', 'fam1:col1', 'fam1-col1-value' put 'tab1', 'row1', 'fam1:col2', 'fam1-col2-value' put 'tab1', 'row1', 'fam2:col1', 'fam2-col1-value'
Imagine that there are users it1 and it2 both belonging to user group IT. Let's grant them following access:
grant '@IT', 'R', 'tab1', 'fam1', 'col1' grant 'it2', 'R', 'tab1', 'fam2'
After this if user it1 does any of the following accesses then user won't get back any rows, even thought we would expect the user to get back 'row1' with data for 'fam1:col1'
scan 'tab1' scan 'tab1', COLUMNS { 'fam1' } get 'tab1', 'row1' get 'tab1', 'row1', 'fam1'
However, doing the following works as expected.
scan 'tab1', COLUMNS { 'fam1:col1'' } get 'tab1', 'row1', 'fam1:col2'
Further user it2 gets right results when it does the following, i.e. she gets back results from both 'fam1:col1' and 'fam2;col1'
scan 'tab1' scan 'tab1', COLUMNS { 'fam1' } get 'tab1', 'row1' get 'tab1', 'row1', 'fam1'
This happens because for user it1 (from group IT) there is no column family to which it has family-level access in table 'tab1'. She only has partial access to 'fam1' and no access to 'fam2'. Where as while user it2 has partial access to fam1 since she has full access to fam2 the final results are right and include values from both fam1 and fam2.
Workaround for this issue is to create a dummy family in a table and give full access to that dummy family to all users that otherwise don't full access to any other column family of that table.
So in the above example if you were to give the following grant then results of user it1 would be corrected:
grant '@IT', 'R', 'tab1', 'fam3'
In practice most often users have family level access so incidents of this issue in the field might be less.