Created 01-20-2016 05:57 AM
Is READ permission not suitable?
Created 01-20-2016 06:27 PM
This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.
I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.
Created 01-21-2016 02:21 AM
@Enis Thank you for your reply and detail.
I underrstood that the list command requires ADMIN or CREATE and it is need to fix this in HBase if I get the list or description of the tables by READ permission.
How do you think that there are many accounts who can excecute hbase shell commands on HBase?
I think users would like to know the table name and get the list of tables by the list command. I also think that the administrator does not want to give a lot of users ADMIN or CREATE permissions.
For this reason, I thought READ permisson was better for the list command.
Created 01-21-2016 03:15 AM
It seems we have made an explicit decision that getting the table descriptor should only be allowed for A or C permission, while getting the name of the table is allowed for all RWACE privileges. The discussion happened here: https://issues.apache.org/jira/browse/HBASE-12564?focusedCommentId=14234504&page=com.atlassian.jira....
However, in shell, the "list" command still uses the version that requires A or C. I've opened up a jira to fix this: https://issues.apache.org/jira/browse/HBASE-15147. Feel free to comment there if you want.
Created 01-21-2016 04:15 AM
Thank you so much for your kindness.
I'll read jira pages and comment if there is something I want to say.