Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Why does a user need CREATE permission for "list" command on hbase shell?

avatar
Rising Star

Is READ permission not suitable?

1 ACCEPTED SOLUTION

avatar
Guru

This is a great question. The list command for getting the list of tables or getting the "description" of the tables requires ADMIN or CREATE privileges as of now. The full list of tables is filtered to only return the subset of tables that the user have A or C. There is an alternative master RPC command though to get a list of tables that will return the table name, but not the descriptor if you only have READ or WRITE permissions.

I think we need to fix this in HBase itself. Logically, if you have READ or WRITE access to the table, you should be able to get the table descriptor as well.

View solution in original post

12 REPLIES 12

avatar
Rising Star

@Enis Thank you for your reply and detail.

I underrstood that the list command requires ADMIN or CREATE and it is need to fix this in HBase if I get the list or description of the tables by READ permission.

How do you think that there are many accounts who can excecute hbase shell commands on HBase?

I think users would like to know the table name and get the list of tables by the list command. I also think that the administrator does not want to give a lot of users ADMIN or CREATE permissions.

For this reason, I thought READ permisson was better for the list command.

avatar
Guru

It seems we have made an explicit decision that getting the table descriptor should only be allowed for A or C permission, while getting the name of the table is allowed for all RWACE privileges. The discussion happened here: https://issues.apache.org/jira/browse/HBASE-12564?focusedCommentId=14234504&page=com.atlassian.jira....

However, in shell, the "list" command still uses the version that requires A or C. I've opened up a jira to fix this: https://issues.apache.org/jira/browse/HBASE-15147. Feel free to comment there if you want.

avatar
Rising Star

Thank you so much for your kindness.

I'll read jira pages and comment if there is something I want to say.