Support Questions

joda · ‎01-20-2016

Is READ permission not suitable?

Enis · ‎01-20-2016

This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.

I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.

View solution in original post

aervits · ‎01-20-2016

@Junichi Oda

read permission is per table, list applies to all tables, you'll need a read permission on all tables otherwise.

joda · ‎01-20-2016

@Artem Ervits

Thank you for your reply.

I got read permission on all tables, but I couldn't show tables by list command.

aervits · ‎01-20-2016

there must be an explanation but on reference page it does not clarify, I feel your pain. Perhaps it has to do with namespace permissions also. @Enis @Devaraj Das @vrodionov @nmaillard

joda · ‎01-21-2016

@Artem Ervits

Thanks to you, I could comminicate with Enis.

Thank you so much.

nsabharwal · ‎01-20-2016

@Junichi Oda

Please see this http://hbase.apache.org/0.94/book/hbase.accesscontrol.configuration.html "good doc on permissions"

Only the superuser is allowed to create tables.

Permissions can be granted in any of the following scopes, though CREATE and ADMIN permissions are effective only at table scope.

Table
- Read: User can read from any column family in table
- Write: User can write to any column family in table
- Create: User can alter table attributes; add, alter, or drop column families; and drop the table.
- Admin: User can alter table attributes; add, alter, or drop column families; and enable, disable, or drop the table. User can also trigger region (re)assignments or relocation.
Column Family
- Read: User can read from the column family
- Write: User can write to the column family

joda · ‎01-20-2016

@Neeraj Sabharwal

Thank you for your reply and the link.

I understand that read permission enables me to just read column family at the table scope not for reading tables. Is it right?

nsabharwal · ‎01-20-2016

@Junichi Oda

Table level read = read only CF

CF read = Data

grant <user> <permissions>[ <table>[ <column family>[ <column qualifier> ] ] ]    #grants permissions
revoke <user> <permissions> [ <table> [ <column family> [ <column qualifier> ] ] ]   # revokes permissions 
user_permission <table>  # displays existing permissions

joda · ‎01-21-2016

@Neeraj Sabharwal

Thank you for the details. I could understand clearly.

Enis · ‎01-20-2016

This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.

I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.

Cloudera Community

Support Questions

Why does a user need CREATE permission for "list" command on hbase shell?