hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Srikanth Srungarapu <srikanth...@gmail.com>
Subject Re: regarding secure read accesses in 0.98
Date Wed, 24 Sep 2014 19:41:55 GMT
Thanks guys for the inputs. I have created HBASE-12087 for changing the
default setting in 0.98.

On Wed, Sep 24, 2014 at 11:17 AM, Ted Yu <yuzhihong@gmail.com> wrote:

> bq. we could set early out to 'true' as default in 0.98
> +1 from me as well.
>
> On Wed, Sep 24, 2014 at 10:17 AM, Anoop John <anoop.hbase@gmail.com>
> wrote:
>
> > bq.we could set early out to 'true' as default in 0.98
> > (like it is in trunk and branch-1).
> >
> > +1
> >
> > -Anoop-
> >
> >
> > On Wed, Sep 24, 2014 at 10:20 PM, Andrew Purtell <apurtell@apache.org>
> > wrote:
> >
> > > As an alternative, we could set early out to 'true' as default in 0.98
> > > (like it is in trunk and branch-1). I didn't do that before because
> > > the behavior would be inconsistent with earlier releases, but if the
> > > consensus is the inconsistency between V2 and V3 is worse, then we
> > > could easily do that. File a JIRA? Or resurrect HBASE-11077.
> > >
> > > On Wed, Sep 24, 2014 at 9:46 AM, Andrew Purtell <apurtell@apache.org>
> > > wrote:
> > > > Yes that is no doubt a wart, but sounds like a doc fix mentioning a
> > > > HFileV3 errata could be a solution.
> > > >
> > > > On Wed, Sep 24, 2014 at 7:19 AM, Matteo Bertozzi
> > > > <theo.bertozzi@gmail.com> wrote:
> > > >> the problem is this:
> > > >>  - 98 with default early out = false and hfile v2 will always give
> the
> > > >> "Permission Denied" instead of the "0 rows" that you expect since
> the
> > > early
> > > >> out is false
> > > >>  - 98 with default early out = false and hfile v3 will always give
> the
> > > "0
> > > >> rows"
> > > >>
> > > >> Matteo
> > > >>
> > > >>
> > > >> On Tue, Sep 23, 2014 at 10:36 PM, Andrew Purtell <
> apurtell@apache.org
> > >
> > > >> wrote:
> > > >>
> > > >>> We've already done what you suggest for 1.0 Srikanth. We didn't
do
> it
> > > >>> for 0.98 because the new behavior for V3 was already present in
> > > >>> earlier minor releases.
> > > >>>
> > > >>> On Tue, Sep 23, 2014 at 4:39 PM, Srikanth Srungarapu
> > > >>> <srikanth235@gmail.com> wrote:
> > > >>> > Hi Folks,
> > > >>> > I noticed that withing 0.98 branch, the behavior of read
accesses
> > > depends
> > > >>> > on hfile versions. If the user decides to use HFile V3 instead
of
> > > HFile
> > > >>> V2,
> > > >>> > then the read actions in case of access denied case start
> > returning 0
> > > >>> rows
> > > >>> > instead of throwing AccessDenied exception. Ted mentioned
> yesterday
> > > that
> > > >>> > some work has been done in this direction [1], where a flag
> > > >>> > "hbase.security.access.early_
> > > >>> > out" was provided to the user for restoring the previous
> behavior.
> > > But,
> > > >>> > this flag does make sense only in the context of user switching
> to
> > > HFile
> > > >>> > V3.  Is it a better idea to get rid of this dependency on
file
> > > versions
> > > >>> and
> > > >>> > present users with a single knob for switching behavior?
Or can
> we
> > do
> > > >>> > something about making this more consistent, may be not
> > immediately,
> > > but
> > > >>> > for 1.0?
> > > >>> > Thanks,
> > > >>> > Srikanth.
> > > >>> >
> > > >>> > References:
> > > >>> > [1] https://issues.apache.org/jira/browse/HBASE-11070
> > > >>>
> > > >>>
> > > >>>
> > > >>> --
> > > >>> Best regards,
> > > >>>
> > > >>>    - Andy
> > > >>>
> > > >>> Problems worthy of attack prove their worth by hitting back. -
Piet
> > > >>> Hein (via Tom White)
> > > >>>
> > > >
> > > >
> > > >
> > > > --
> > > > Best regards,
> > > >
> > > >    - Andy
> > > >
> > > > Problems worthy of attack prove their worth by hitting back. - Piet
> > > > Hein (via Tom White)
> > >
> > >
> > >
> > > --
> > > Best regards,
> > >
> > >    - Andy
> > >
> > > Problems worthy of attack prove their worth by hitting back. - Piet
> > > Hein (via Tom White)
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message