Return-Path: 
 <dev-return-56136-apmail-hbase-dev-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-dev-archive@www.apache.org
Delivered-To: apmail-hbase-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id D0152180BB
	for <apmail-hbase-dev-archive@www.apache.org>;
 Thu, 11 Feb 2016 22:54:19 +0000 (UTC)
Received: (qmail 38130 invoked by uid 500); 11 Feb 2016 22:54:18 -0000
Delivered-To: apmail-hbase-dev-archive@hbase.apache.org
Received: (qmail 38003 invoked by uid 500); 11 Feb 2016 22:54:18 -0000
Mailing-List: contact dev-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@hbase.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@hbase.apache.org>
List-Post: <mailto:dev@hbase.apache.org>
List-Id: <dev.hbase.apache.org>
Reply-To: dev@hbase.apache.org
Delivered-To: mailing list dev@hbase.apache.org
Received: (qmail 37662 invoked by uid 99); 11 Feb 2016 22:54:18 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Feb 2016 22:54:18 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 219E52C1F62
	for <dev@hbase.apache.org>; Thu, 11 Feb 2016 22:54:18 +0000 (UTC)
Date: Thu, 11 Feb 2016 22:54:18 +0000 (UTC)
From: "Gary Helmling (JIRA)" <jira@apache.org>
To: dev@hbase.apache.org
Message-ID: <JIRA.12938638.1455231227000.30970.1455231258134@Atlassian.JIRA>
In-Reply-To: <JIRA.12938638.1455231227000@Atlassian.JIRA>
References: <JIRA.12938638.1455231227000@Atlassian.JIRA>
 <JIRA.12938638.1455231227905@arcas>
Subject: [jira] [Created] (HBASE-15256) Replication access control should be
 based on destination table
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

Gary Helmling created HBASE-15256:
-------------------------------------

             Summary: Replication access control should be based on destination table
                 Key: HBASE-15256
                 URL: https://issues.apache.org/jira/browse/HBASE-15256
             Project: HBase
          Issue Type: Improvement
          Components: Replication, security
            Reporter: Gary Helmling


HBASE-12916 added access control for replication sinks, where previously it was missing.  However, the access control check is only enforced by checking for a global write permission.  This is both less granular than the check could be and less intuitive (access is denied even if the source cell has write permission to the table being replicated).

There is obviously more performance overhead from doing more granular checks, but if we only do checks on the distinct set of tables/cfs being written, I think the trade-off might be worth it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)