Support Questions

Find answers, ask questions, and share your expertise

Why does a user need CREATE permission for "list" command on hbase shell?

avatar
Rising Star

Is READ permission not suitable?

1 ACCEPTED SOLUTION

avatar
Guru

This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.

I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.

View solution in original post

12 REPLIES 12

avatar
Master Mentor

@Junichi Oda

read permission is per table, list applies to all tables, you'll need a read permission on all tables otherwise.

avatar
Rising Star

@Artem Ervits

Thank you for your reply.

I got read permission on all tables, but I couldn't show tables by list command.

avatar
Master Mentor

there must be an explanation but on reference page it does not clarify, I feel your pain. Perhaps it has to do with namespace permissions also. @Enis @Devaraj Das @vrodionov @nmaillard

avatar
Rising Star

@Artem Ervits

Thanks to you, I could comminicate with Enis.

Thank you so much.

avatar
Master Mentor
@Junichi Oda

Please see this http://hbase.apache.org/0.94/book/hbase.accesscontrol.configuration.html "good doc on permissions"

Only the superuser is allowed to create tables.

Permissions can be granted in any of the following scopes, though CREATE and ADMIN permissions are effective only at table scope.

  • Table
    • Read: User can read from any column family in table
    • Write: User can write to any column family in table
    • Create: User can alter table attributes; add, alter, or drop column families; and drop the table.
    • Admin: User can alter table attributes; add, alter, or drop column families; and enable, disable, or drop the table. User can also trigger region (re)assignments or relocation.
  • Column Family
    • Read: User can read from the column family
    • Write: User can write to the column family

avatar
Rising Star

@Neeraj Sabharwal

Thank you for your reply and the link.

I understand that read permission enables me to just read column family at the table scope not for reading tables. Is it right?

avatar
Master Mentor

@Junichi Oda

Table level read = read only CF

CF read = Data

grant <user> <permissions>[ <table>[ <column family>[ <column qualifier> ] ] ]    #grants permissions
revoke <user> <permissions> [ <table> [ <column family> [ <column qualifier> ] ] ]   # revokes permissions 
user_permission <table>  # displays existing permissions

avatar
Rising Star

@Neeraj Sabharwal

Thank you for the details. I could understand clearly.

avatar
Guru

This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.

I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.