hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars George <lars.geo...@gmail.com>
Subject HBase Service Level Authorization
Date Tue, 24 Jan 2017 07:36:07 GMT
Hi,

Looking at our `PolicyProvider` implementation I see this:

/**
 * Implementation of secure Hadoop policy provider for mapping
 * protocol interfaces to hbase-policy.xml entries.
 */
@InterfaceAudience.Private
public class HBasePolicyProvider extends PolicyProvider {
  protected final static Service[] services = {
      new Service("security.client.protocol.acl",
ClientService.BlockingInterface.class),
      new Service("security.client.protocol.acl",
AdminService.BlockingInterface.class),
      new Service("security.admin.protocol.acl",
MasterService.BlockingInterface.class),
      new Service("security.masterregion.protocol.acl",
RegionServerStatusService.BlockingInterface.class)
  };

How does that all make sense? Both the `ClientService` and
`AdminService` are controlled by the `security.client.protocol.acl`
setting, allowing (or disallowing) access to the two client side APIs.
But then there is the `security.admin.protocol.acl` for the
`MasterService` that controls another half of the administrative
calls?

And then the last of them, which I presume by looking at the provided
methods that it covers the Master-RegionServer communication. It is
controlled by `security.masterregion.protocol.acl`... did we run out
of characters to not name that at least
`security.masterregionserver.protocol.acl`?

Can anyone explain what we are doing here? And why?

Best,
Lars

Mime
View raw message