hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-7662) [Per-KV security] Store and apply per cell ACLs into/from KeyValue tags
Date Fri, 18 Oct 2013 02:23:42 GMT

     [ https://issues.apache.org/jira/browse/HBASE-7662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Andrew Purtell updated HBASE-7662:
----------------------------------

    Attachment: 7662.patch

This is an improved version of the HBASE-6222 per cell ACL implementation, reworked for cell
tags. 

A couple of significant differences:
- A new coprocessor hook for rewriting the KVs calculated for increment and append operations.
We use this to carry ACLs from earlier puts forward during an append or increment. ACLs are
NOT carried forward if the increment or append operation itself includes a new ACL to apply.
- An operation attribute for switching between cell ACL evaluation strategies, a boolean.

-- If FALSE (default) we first check CF or table level perms, only then then wrap the scanner
if they fail to authorize at those levels. The filter then does not check table and CF perms
while iterating cells, only looks at ACLs on the cells. This will perform well for use cases
where users normally have CF level access but their perms may be limited on a per cell basis
because we will usually early out.
-- If TRUE then we wrap the scanner unconditionally and the scanner will first look at ACLs
on the cells. Only after that will it consider table or CF perms. This is useful for use cases
where users may not normally have access but will be granted special additional perms on a
per cell basis.

> [Per-KV security] Store and apply per cell ACLs into/from KeyValue tags
> -----------------------------------------------------------------------
>
>                 Key: HBASE-7662
>                 URL: https://issues.apache.org/jira/browse/HBASE-7662
>             Project: HBase
>          Issue Type: Sub-task
>          Components: Coprocessors, security
>    Affects Versions: 0.98.0
>            Reporter: Andrew Purtell
>            Assignee: Andrew Purtell
>         Attachments: 7662.patch
>
>
> We can improve the performance of per-cell authorization if the read of the cell ACL,
if any, is combined with the sequential read of the cell data already in progress. When tags
are inlined with KVs in block encoding (see HBASE-7448, and more generally HBASE-7233), we
can use them to carry cell ACLs instead of using out-of-line storage (HBASE-7661) for that
purpose.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message