hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@apache.org>
Subject Re: regarding secure read accesses in 0.98
Date Wed, 24 Sep 2014 16:50:11 GMT
As an alternative, we could set early out to 'true' as default in 0.98
(like it is in trunk and branch-1). I didn't do that before because
the behavior would be inconsistent with earlier releases, but if the
consensus is the inconsistency between V2 and V3 is worse, then we
could easily do that. File a JIRA? Or resurrect HBASE-11077.

On Wed, Sep 24, 2014 at 9:46 AM, Andrew Purtell <apurtell@apache.org> wrote:
> Yes that is no doubt a wart, but sounds like a doc fix mentioning a
> HFileV3 errata could be a solution.
>
> On Wed, Sep 24, 2014 at 7:19 AM, Matteo Bertozzi
> <theo.bertozzi@gmail.com> wrote:
>> the problem is this:
>>  - 98 with default early out = false and hfile v2 will always give the
>> "Permission Denied" instead of the "0 rows" that you expect since the early
>> out is false
>>  - 98 with default early out = false and hfile v3 will always give the "0
>> rows"
>>
>> Matteo
>>
>>
>> On Tue, Sep 23, 2014 at 10:36 PM, Andrew Purtell <apurtell@apache.org>
>> wrote:
>>
>>> We've already done what you suggest for 1.0 Srikanth. We didn't do it
>>> for 0.98 because the new behavior for V3 was already present in
>>> earlier minor releases.
>>>
>>> On Tue, Sep 23, 2014 at 4:39 PM, Srikanth Srungarapu
>>> <srikanth235@gmail.com> wrote:
>>> > Hi Folks,
>>> > I noticed that withing 0.98 branch, the behavior of read accesses depends
>>> > on hfile versions. If the user decides to use HFile V3 instead of HFile
>>> V2,
>>> > then the read actions in case of access denied case start returning 0
>>> rows
>>> > instead of throwing AccessDenied exception. Ted mentioned yesterday that
>>> > some work has been done in this direction [1], where a flag
>>> > "hbase.security.access.early_
>>> > out" was provided to the user for restoring the previous behavior. But,
>>> > this flag does make sense only in the context of user switching to HFile
>>> > V3.  Is it a better idea to get rid of this dependency on file versions
>>> and
>>> > present users with a single knob for switching behavior? Or can we do
>>> > something about making this more consistent, may be not immediately, but
>>> > for 1.0?
>>> > Thanks,
>>> > Srikanth.
>>> >
>>> > References:
>>> > [1] https://issues.apache.org/jira/browse/HBASE-11070
>>>
>>>
>>>
>>> --
>>> Best regards,
>>>
>>>    - Andy
>>>
>>> Problems worthy of attack prove their worth by hitting back. - Piet
>>> Hein (via Tom White)
>>>
>
>
>
> --
> Best regards,
>
>    - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet
> Hein (via Tom White)



-- 
Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet
Hein (via Tom White)

Mime
View raw message