hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-7367) Snapshot coprocessor and ACL security
Date Mon, 17 Dec 2012 18:18:14 GMT

    [ https://issues.apache.org/jira/browse/HBASE-7367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13534139#comment-13534139
] 

Andrew Purtell commented on HBASE-7367:
---------------------------------------

bq. as I've said in the jira, this is just the first step to have all the code ready.

I saw that, and I don't agree it is appropriate to commit in present form. "Security is not
compatible with snapshots" = no.

GLOBAL ADMIN is a reasonable first step, this punts all decisionmaking about what to snapshot
or restore and how to essentially the superuser.

Up to this point IIRC we've been allowing TABLE CREATE to have the same privs on their specific
tables that the GLOBAL ADMIN has.

Whether or not to restore the _acl_ table is an administrative decision. Allow it if GLOBAL
ADMIN says so I'd say.
                
> Snapshot coprocessor and ACL security
> -------------------------------------
>
>                 Key: HBASE-7367
>                 URL: https://issues.apache.org/jira/browse/HBASE-7367
>             Project: HBase
>          Issue Type: Sub-task
>          Components: Client, master, regionserver, snapshots, Zookeeper
>            Reporter: Matteo Bertozzi
>            Assignee: Matteo Bertozzi
>            Priority: Minor
>             Fix For: hbase-6055, 0.96.0
>
>         Attachments: HBASE-7367-v0.patch
>
>
> Currently snapshot don't care about ACL...
> and in the first draft snapshots should be disabled if the ACL coprocessor is enabled.
> After the first step, we can discuss how to handle the snapshot/restore/clone.
> Is saving and restoring the _acl_ related rights, the right way? maybe after 3 months
we don't want to give the access the guys listed in the old _acl_...

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message