Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-22581

user with "CREATE" permission can grant, but not revoke permissions on created table

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.1.1, 2.1.5
    • 2.1.6
    • security
    • None
    • Reviewed

    Description

      A user that only has global or namespace "CREATE" permission can grant permissions to another user on its created table, but cannot revoke them.

      This bug exists on branch-2.1, from 2.1.1 

      2.0, 2.1.0, master, and branch-2.2 are not effected.

      The bug can be triggered via hbase shell:

      #Start hbase shell as superuse 
#export HADOOP_USER_NAME=hbase 
hbase shell
grant 'regularUser1', 'C'
exit
#Run hbase shell as regularUser1
#grant, then revoke 'RX' permission to regularUser2
#export HADOOP_USER_NAME=regularUser1
hbase shell
create 'nunuke','nunuke'
grant 'regularUser2', 'RX', 'nunuke'
#This will fail on 2.1.1+
revoke 'regularUser2', 'nunuke'

      Attachments

        1. HBASE-22581.branch-2.1.005.patch
          4 kB
          Istvan Toth
        2. HBASE-22581.branch-2.1.004.patch
          4 kB
          Istvan Toth
        3. HBASE-22581.branch-2.1.003.patch
          4 kB
          Istvan Toth
        4. HBASE-22581.branch-2.1.002.patch
          4 kB
          Istvan Toth
        5. HBASE-22581.master.001.patch
          2 kB
          Istvan Toth
        6. HBASE-22581.branch-2.1.001.patch
          4 kB
          Istvan Toth

        Issue Links

        Dependent

        Task - A task that needs to be done. PHOENIX-5161 ChangePermissionsIT is failing in CDH6 branch

        • Major - Major loss of function.
        • Resolved
        is caused by

        Improvement - An improvement or enhancement to an existing feature or task. HBASE-21385 HTable.delete request use rpc call directly instead of AsyncProcess

        • Major - Major loss of function.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            stoty Istvan Toth
            stoty Istvan Toth
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment