https://community.cloudera.com/t5/Archives-of-Support-Questions/Why-is-global-admin-permissions-necessary-to-create-a/m-p/141038#M35495 <P>ACLs were not part of the core hbase (implemented through coprocessor). We were adding to a core functionality knowledge about an external component (ACL).</P><P>There was the discussion about the meaning of restoring the acls that we snapshotted (see HBASE-11013).</P><P>Please consult with the following for up-to-date ACL:</P><P><A href="http://hbase.apache.org/book.html#appendix_acl_matrix" target="_blank">http://hbase.apache.org/book.html#appendix_acl_matrix</A></P><P>We cannot allow any user to restore any snapshot otherwise you'll be able to see data that is not yours.</P><P>There is no ACL on snapshot to say "allow this user to restore/clone" the snapshot.</P> Thu, 21 Jul 2016 21:31:46 GMT tyu 2016-07-21T21:31:46Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Why-is-global-admin-permissions-necessary-to-create-a/m-p/141037#M35494 <P>We recently started implementing HBase namespaces + ACLs and have run into an issue. According to the docs: <A href="http://hbase.apache.org/0.94/book/ops.snapshots.html:" target="_blank">http://hbase.apache.org/0.94/book/ops.snapshots.html:</A></P><DIV><BLOCKQUOTE>14.8.7. Snapshots operations and ACLs</BLOCKQUOTE></DIV><BLOCKQUOTE>If you are using security with the AccessController Coprocessor (See <A href="http://hbase.apache.org/0.94/book/hbase.accesscontrol.configuration.html">Section 8.2, “Access Control”</A>), only a global administrator can take, clone, or restore a snapshot, and these actions do not capture the ACL rights. This means that restoring a table preserves the ACL rights of the existing table, while cloning a table creates a new table that has no ACL rights until the administrator adds them.</BLOCKQUOTE><P>Our application requires the ability to take a snapshot of a specific table, clone it, and then </P><H4></H4><H4>Questions </H4><UL> <LI>Why does the snapshot mechanism require this high level access to function? </LI><LI>Is this something that will change over time or is this the design and it's being done this way for a specific purpose?</LI></UL> Thu, 21 Jul 2016 20:52:58 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Why-is-global-admin-permissions-necessary-to-create-a/m-p/141037#M35494 slm 2016-07-21T20:52:58Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Why-is-global-admin-permissions-necessary-to-create-a/m-p/141038#M35495 <P>ACLs were not part of the core hbase (implemented through coprocessor). We were adding to a core functionality knowledge about an external component (ACL).</P><P>There was the discussion about the meaning of restoring the acls that we snapshotted (see HBASE-11013).</P><P>Please consult with the following for up-to-date ACL:</P><P><A href="http://hbase.apache.org/book.html#appendix_acl_matrix" target="_blank">http://hbase.apache.org/book.html#appendix_acl_matrix</A></P><P>We cannot allow any user to restore any snapshot otherwise you'll be able to see data that is not yours.</P><P>There is no ACL on snapshot to say "allow this user to restore/clone" the snapshot.</P> Thu, 21 Jul 2016 21:31:46 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Why-is-global-admin-permissions-necessary-to-create-a/m-p/141038#M35495 tyu 2016-07-21T21:31:46Z