Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement
Solved Go to solution

Why does a user need CREATE permission for "list" command on hbase shell?

Labels:
avatar
author-rank joda
Rising Star

Created ‎01-20-2016 05:57 AM

Is READ permission not suitable?

7,946 Views
1 ACCEPTED SOLUTION

avatar
author-rank Enis author-rank
Guru

Created ‎01-20-2016 06:27 PM

This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.

I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.

View solution in original post

6,226 Views
12 REPLIES 12

avatar
author-rank joda
Rising Star

Created ‎01-21-2016 02:21 AM

@Enis Thank you for your reply and detail.

I underrstood that the list command requires ADMIN or CREATE and it is need to fix this in HBase if I get the list or description of the tables by READ permission.

How do you think that there are many accounts who can excecute hbase shell commands on HBase?

I think users would like to know the table name and get the list of tables by the list command. I also think that the administrator does not want to give a lot of users ADMIN or CREATE permissions.

For this reason, I thought READ permisson was better for the list command.

2,178 Views
0 Kudos

avatar
author-rank Enis author-rank
Guru

Created ‎01-21-2016 03:15 AM

It seems we have made an explicit decision that getting the table descriptor should only be allowed for A or C permission, while getting the name of the table is allowed for all RWACE privileges. The discussion happened here: https://issues.apache.org/jira/browse/HBASE-12564?focusedCommentId=14234504&page=com.atlassian.jira....

However, in shell, the "list" command still uses the version that requires A or C. I've opened up a jira to fix this: https://issues.apache.org/jira/browse/HBASE-15147. Feel free to comment there if you want.

2,178 Views
0 Kudos

avatar
author-rank joda
Rising Star

Created ‎01-21-2016 04:15 AM

Thank you so much for your kindness.

I'll read jira pages and comment if there is something I want to say.

2,178 Views
0 Kudos
Announcements
Community Announcements
December 2025 Community Highlights
Community Announcements
Announcing the Launch of Cloudera Community Blogs
Community Announcements
October / November 2025 Community Highlights
What's New @ Cloudera
Announcing Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
Announcing Cloudera Streams Messaging - Kubernetes Operator ...
View More Announcements