hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@apache.org>
Subject Re: Behavior change in Access Controller between 0.94 and 0.98
Date Thu, 24 Apr 2014 16:49:46 GMT
This is an intended change that was done as part of introducing cell ACLs.
Otherwise we can't support use cases where the user has no authorization on
the table or CF level but cell ACLs grant exceptional access. It also
brings the AccessController behavior in line with the new
VisibilityController - cells which the user are not authorized to see are
invisible in both settings.

Enis recently brought up the same issue, let me copy that here:


Subject: Get / Scan without table ACLs no longer throws

I was a bit surprised to find out about the case where there is a
behavioral change in trying to read from tables that the user do not have
table/cf level permission.
Also this behavioral change is applicable to the audit log as well, we no
longer mark the access granted / denied requests for gets and scans in the
audit log which is concerning.

>From the lsat paragraph in
https://blogs.apache.org/hbase/entry/hbase_cell_security, Andrew states
that there are two modes now, check cell first or not

However, my understanding was that the default behavior should check table
first, and then not do the scan at all if that is denied. From the code
TableAuthManager.authorize(), it does not look to be the case. My questions
 1) This is a behavioral change, and changes the default behavior as well
regardless of whether cell level security is used or not. Should we revert
back to the original behavior?
 2) Even if we do not revert, should we record get / scans in the audit log
 3) Are we targeting two use cases (a) user do not have table level auth,
but selectively have cell level access, and (b) user do have table level
auth but selectively NOT have cell level access? For these two use cases,
should the strategy be a table level property rather than an per-op
property ?


To which I replied:


The answer is #3.

It could be made a table level property.

> Also this behavioral change is applicable to the audit log as well, we no
longer mark the access granted / denied requests for gets and scans in the
 ‚Äčaudit log which is concerning.

This is some kind of logic bug or oversight, please file a jira.


So if the consensus is this is too surprising or unwanted, then we can
without much difficulty make the new behavior configurable on a per table
basis and have the default be the new behavior, with a release note and
paragraph in the security guide explaining how to reintroduce the old
behavior. I think that covers the bases.

On Thu, Apr 24, 2014 at 12:35 AM, Vandana Ayyalasomayajula <
avandana@yahoo-inc.com> wrote:

> Hi All,
> We have seen a behavior change in the manner AccessController blocks
> unauthorized users between 0.94 and 0.98.
> In 0.98, if an unauthorized user tried to perform GET, SCAN  empty results
> are returned, whereas the same operations
> in 0.94 used to throw access denied exceptions.
> Is this a behavior change or a bug in 0.98 ? It would be of great help if
> someone could point me to any jira which has discussions related to
> these changes.
> Thanks
> Vandana

Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message