Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-533

Hbase plugin: if user does not have family-level access to any family in a table then user may be incorrectly denied access done at table/family level during get or scan

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 0.4.0
    • 0.5.1
    • None
    • None

    Description

      Consider the following series of hbase shell commands

      disable 'tab1'
      drop 'tab1'
      create 'tab1', 'fam1', 'fam2', 'fam3'
      put 'tab1', 'row1', 'fam1:col1', 'fam1-col1-value'
      put 'tab1', 'row1', 'fam1:col2', 'fam1-col2-value'
      put 'tab1', 'row1', 'fam2:col1', 'fam2-col1-value'
      

      Imagine that there are users it1 and it2 both belonging to user group IT. Let's grant them following access:

      grant '@IT', 'R', 'tab1', 'fam1', 'col1'
      grant 'it2', 'R', 'tab1', 'fam2'
      

      After this if user it1 does any of the following accesses then user won't get back any rows, even thought we would expect the user to get back 'row1' with data for 'fam1:col1'

      scan 'tab1'
      scan 'tab1', COLUMNS { 'fam1' }
      get 'tab1', 'row1'
      get 'tab1', 'row1', 'fam1'
      

      However, doing the following works as expected.

      scan 'tab1', COLUMNS { 'fam1:col1'' }
      get 'tab1', 'row1', 'fam1:col2'
      

      Further user it2 gets right results when it does the following, i.e. she gets back results from both 'fam1:col1' and 'fam2;col1'

      scan 'tab1'
      scan 'tab1', COLUMNS { 'fam1' }
      get 'tab1', 'row1'
      get 'tab1', 'row1', 'fam1'
      

      This happens because for user it1 (from group IT) there is no column family to which it has family-level access in table 'tab1'. She only has partial access to 'fam1' and no access to 'fam2'. Where as while user it2 has partial access to fam1 since she has full access to fam2 the final results are right and include values from both fam1 and fam2.

      Workaround for this issue is to create a dummy family in a table and give full access to that dummy family to all users that otherwise don't full access to any other column family of that table.

      So in the above example if you were to give the following grant then results of user it1 would be corrected:

      grant '@IT', 'R', 'tab1', 'fam3'
      

      In practice most often users have family level access so incidents of this issue in the field might be less.

      Attachments

        Activity

          People

            alok Alok Lal
            alok Alok Lal
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: