Support Questions
Find answers, ask questions, and share your expertise

Why does a user need CREATE permission for "list" command on hbase shell?

Explorer

Is READ permission not suitable?

1 ACCEPTED SOLUTION

Guru

This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.

I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.

View solution in original post

12 REPLIES 12

Mentor

@Junichi Oda

read permission is per table, list applies to all tables, you'll need a read permission on all tables otherwise.

Explorer

@Artem Ervits

Thank you for your reply.

I got read permission on all tables, but I couldn't show tables by list command.

Mentor

there must be an explanation but on reference page it does not clarify, I feel your pain. Perhaps it has to do with namespace permissions also. @Enis @Devaraj Das @vrodionov @nmaillard

Explorer

@Artem Ervits

Thanks to you, I could comminicate with Enis.

Thank you so much.

@Junichi Oda

Please see this http://hbase.apache.org/0.94/book/hbase.accesscontrol.configuration.html "good doc on permissions"

Only the superuser is allowed to create tables.

Permissions can be granted in any of the following scopes, though CREATE and ADMIN permissions are effective only at table scope.

  • Table
    • Read: User can read from any column family in table
    • Write: User can write to any column family in table
    • Create: User can alter table attributes; add, alter, or drop column families; and drop the table.
    • Admin: User can alter table attributes; add, alter, or drop column families; and enable, disable, or drop the table. User can also trigger region (re)assignments or relocation.
  • Column Family
    • Read: User can read from the column family
    • Write: User can write to the column family

Explorer

@Neeraj Sabharwal

Thank you for your reply and the link.

I understand that read permission enables me to just read column family at the table scope not for reading tables. Is it right?

@Junichi Oda

Table level read = read only CF

CF read = Data

grant <user> <permissions>[ <table>[ <column family>[ <column qualifier> ] ] ]    #grants permissions
revoke <user> <permissions> [ <table> [ <column family> [ <column qualifier> ] ] ]   # revokes permissions 
user_permission <table>  # displays existing permissions

Explorer

@Neeraj Sabharwal

Thank you for the details. I could understand clearly.

Guru

This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.

I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.

Explorer

@Enis Thank you for your reply and detail.

I underrstood that the list command requires ADMIN or CREATE and it is need to fix this in HBase if I get the list or description of the tables by READ permission.

How do you think that there are many accounts who can excecute hbase shell commands on HBase?

I think users would like to know the table name and get the list of tables by the list command. I also think that the administrator does not want to give a lot of users ADMIN or CREATE permissions.

For this reason, I thought READ permisson was better for the list command.

Guru

It seems we have made an explicit decision that getting the table descriptor should only be allowed for A or C permission, while getting the name of the table is allowed for all RWACE privileges. The discussion happened here: https://issues.apache.org/jira/browse/HBASE-12564?focusedCommentId=14234504&page=com.atlassian.jira....

However, in shell, the "list" command still uses the version that requires A or C. I've opened up a jira to fix this: https://issues.apache.org/jira/browse/HBASE-15147. Feel free to comment there if you want.

Explorer

Thank you so much for your kindness.

I'll read jira pages and comment if there is something I want to say.

; ;