hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
Date Tue, 29 Oct 2013 14:16:33 GMT

    [ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13808011#comment-13808011
] 

Andrew Purtell commented on HBASE-7663:
---------------------------------------

V3 patch is looking pretty good Anoop.

Debug logging should be wrapped in if (LOG.isDebugEnabled()) conditionals. 

Could use an integration test. Can be follow on work, like HBASE-9846.

If ParseException is going to be thrown back to clients, it should be in hbase-client.

In VisibilityController you have this TODO:
{code}
TODO this can be made as a global LRU cache at HRS level?
{code}
Could be follow on work but I guess there will be another patch here soon that contains one?

In VisibilityController#preScannerOpen there is this empty conditional:
{code}
if (region.getRegionInfo().getTable().isSystemTable()) {

}
{code}
What is supposed to happen here?

"getSyetmAndSuperUsers" is misspelled.

In ZKVisibilityLabelWatcher should we be calling sync() on the ZK handle to insure we are
up to date?

Should we look at javaEWAH instead of BitSet?

Consider unit test coverage for the new labels commands, I guess somewhere in the visibility
unit tests since they require the CP to be installed.

The VisibilityController init code assumes if the AccessController is loaded it will be the
first in the chain. Should we rely on that?

> [Per-KV security] Visibility labels
> -----------------------------------
>
>                 Key: HBASE-7663
>                 URL: https://issues.apache.org/jira/browse/HBASE-7663
>             Project: HBase
>          Issue Type: Sub-task
>          Components: Coprocessors, security
>    Affects Versions: 0.98.0
>            Reporter: Andrew Purtell
>            Assignee: Anoop Sam John
>         Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, HBASE-7663_V3.patch
>
>
> Implement Accumulo-style visibility labels. Consider the following design principles:
> - Coprocessor based implementation
> - Minimal to no changes to core code
> - Use KeyValue tags (HBASE-7448) to carry labels
> - Use OperationWithAttributes# {get,set}Attribute for handling visibility labels in the
API
> - Implement a new filter for evaluating visibility labels as KVs are streamed through.
> This approach would be consistent in deployment and API details with other per-KV security
work, supporting environments where they might be both be employed, even stacked on some tables.
> See the parent issue for more discussion.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message