hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niels Basjes <Ni...@basjes.nl>
Subject Re: Dynamically deploying filters?
Date Sun, 09 Mar 2014 21:42:25 GMT
In my mind: if a (Filter)class can execute arbitrary code under a specific
userid then I expect that this code can simply read the HFiles from HDFS
directly. And because it is running under the 'hbase' user the HDFS
permissions should allow this.

Because I expect this loop hole to exist I think that handling this may be
tricky.


On Sun, Mar 9, 2014 at 4:44 PM, Ted Yu <yuzhihong@gmail.com> wrote:

> The original blog didn't mention security.
>
> If I understand correctly, the application of custom filters is after ACL
> check in a secure cluster.
> The cell visibility feature in 0.98 is implemented through
> VisibilityController which builds on top of BaseRegionObserver.
>
> So we should be fine.
>
>
> On Sun, Mar 9, 2014 at 12:39 AM, Niels Basjes <Niels@basjes.nl> wrote:
>
> > From what I see this is not putting those classes on into the cluster at
> > all. This looks like it is serializing them during each scan.
> > So this issue does not arise.
> > What I'm thinking about is how to ensure that this is not a way to avoid
> > the security in the cluster.
> >
> > Niels
> > On Mar 7, 2014 1:41 AM, "Ted Yu" <yuzhihong@gmail.com> wrote:
> >
> > > Interesting blog.
> > >
> > > I wonder how subsequent work addresses the following:
> > >
> > > bq. Updating the filter.jar in the Hadoop FS while a table scan is
> > > happening can have undesired results if the updated filters are not
> > > backward compatible.
> > >
> > >
> > > On Thu, Mar 6, 2014 at 12:54 PM, Niels Basjes <Niels@basjes.nl> wrote:
> > >
> > > > Hi,
> > > >
> > > > In the current HBase versions a Filter needs to be deployed by
> putting
> > a
> > > > jar into all region servers (and depending on the HBase version
> restart
> > > the
> > > > regionservers).
> > > >
> > > > I'm in a multi tenant cluster environment where we may run into the
> > need
> > > to
> > > > have both the old and the new version of a Filter available at the
> same
> > > > time. Also the option of having a method of easily trying out a new
> > > > implementation for a Filter (to see if it performs better) would be a
> > lot
> > > > easier if it were possible to use a custom Filter without having to
> put
> > > it
> > > > onto all region servers.
> > > >
> > > > So after some Googling I found this interesting experiment for
> > > dynamically
> > > > uploading the Filter code with the Scan:
> > > >
> > > >
> > >
> >
> http://tech.flurry.com/2012/12/06/exploring-dynamic-loading-of-custom-filters-i/
> > > >
> > > >
> > > > My question: Is such a feature planned for the mainline HBase?
> > > >
> > > > --
> > > > Best regards
> > > >
> > > > Niels Basjes
> > > >
> > >
> >
>



-- 
Best regards / Met vriendelijke groeten,

Niels Basjes

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message