Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Why does a user need CREATE permission for "list" command on hbase shell?

Solved Go to solution

Why does a user need CREATE permission for "list" command on hbase shell?

New Contributor

Is READ permission not suitable?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Why does a user need CREATE permission for "list" command on hbase shell?

Guru

This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.

I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.

12 REPLIES 12

Re: Why does a user need CREATE permission for "list" command on hbase shell?

Mentor

@Junichi Oda

read permission is per table, list applies to all tables, you'll need a read permission on all tables otherwise.

Re: Why does a user need CREATE permission for "list" command on hbase shell?

New Contributor

@Artem Ervits

Thank you for your reply.

I got read permission on all tables, but I couldn't show tables by list command.

Re: Why does a user need CREATE permission for "list" command on hbase shell?

Mentor

there must be an explanation but on reference page it does not clarify, I feel your pain. Perhaps it has to do with namespace permissions also. @Enis @Devaraj Das @vrodionov @nmaillard

Re: Why does a user need CREATE permission for "list" command on hbase shell?

New Contributor

@Artem Ervits

Thanks to you, I could comminicate with Enis.

Thank you so much.

Re: Why does a user need CREATE permission for "list" command on hbase shell?

@Junichi Oda

Please see this http://hbase.apache.org/0.94/book/hbase.accesscontrol.configuration.html "good doc on permissions"

Only the superuser is allowed to create tables.

Permissions can be granted in any of the following scopes, though CREATE and ADMIN permissions are effective only at table scope.

  • Table
    • Read: User can read from any column family in table
    • Write: User can write to any column family in table
    • Create: User can alter table attributes; add, alter, or drop column families; and drop the table.
    • Admin: User can alter table attributes; add, alter, or drop column families; and enable, disable, or drop the table. User can also trigger region (re)assignments or relocation.
  • Column Family
    • Read: User can read from the column family
    • Write: User can write to the column family

Re: Why does a user need CREATE permission for "list" command on hbase shell?

New Contributor

@Neeraj Sabharwal

Thank you for your reply and the link.

I understand that read permission enables me to just read column family at the table scope not for reading tables. Is it right?

Re: Why does a user need CREATE permission for "list" command on hbase shell?

@Junichi Oda

Table level read = read only CF

CF read = Data

grant <user> <permissions>[ <table>[ <column family>[ <column qualifier> ] ] ]    #grants permissions
revoke <user> <permissions> [ <table> [ <column family> [ <column qualifier> ] ] ]   # revokes permissions 
user_permission <table>  # displays existing permissions

Re: Why does a user need CREATE permission for "list" command on hbase shell?

New Contributor

@Neeraj Sabharwal

Thank you for the details. I could understand clearly.

Highlighted

Re: Why does a user need CREATE permission for "list" command on hbase shell?

Guru

This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.

I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.

Don't have an account?
Coming from Hortonworks? Activate your account here