hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anoop Sam John (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-7663) [Per-KV security] Visibility labels
Date Tue, 19 Nov 2013 05:45:27 GMT

     [ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Anoop Sam John updated HBASE-7663:

      Resolution: Fixed
    Release Note: 
VisibilityController CP handles the visibility
The visibility labels are stored as tags with KVs
Use Mutation#setCellVisibility(new CellVisibility(<labelExp>)); to add visibility expressions
to cells
The label expression can contain visibility labels joined with logical expressions &,
| and !. Also using (, ) one can specify the precedence order
Please note that passing CellVisibility in a Delete mutation is illegal.

During read, (Scan/Get) one can specify labels associated with that, in Authorizations
scan.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));

Visibility Label admin operations
Labels can be added to the system using VisibilityClient#addLabels(). Also can use add_labels
shell command
Only super user (hbase.superuse) have permission to add the labels into the system.
A set of labels can be associated for a user using setAuths. VisibilityClient#setAuths()
Similarly labels can be removed from user auths using clearAuths.
getAuths API can be used to view user auths.
Also there is support for set_auths, clear_auths and get_auths shell commands
Same way as in addLabels, only super user have permission for these operations.
When AccessController is ON the permission checks are handled by AC.
Using AC along with Visibility is optional. When AC is not available, permission checks are
done at VisibilityController level itself.
    Hadoop Flags: Reviewed
          Status: Resolved  (was: Patch Available)

> [Per-KV security] Visibility labels
> -----------------------------------
>                 Key: HBASE-7663
>                 URL: https://issues.apache.org/jira/browse/HBASE-7663
>             Project: HBase
>          Issue Type: Sub-task
>          Components: Coprocessors, security
>    Affects Versions: 0.98.0
>            Reporter: Andrew Purtell
>            Assignee: Anoop Sam John
>             Fix For: 0.98.0
>         Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, HBASE-7663_V3.patch, HBASE-7663_V4.patch,
HBASE-7663_V5.patch, HBASE-7663_V6.patch, HBASE-7663_V7.patch, HBASE-7663_V8.patch, HBASE-7663_V9.patch
> Implement Accumulo-style visibility labels. Consider the following design principles:
> - Coprocessor based implementation
> - Minimal to no changes to core code
> - Use KeyValue tags (HBASE-7448) to carry labels
> - Use OperationWithAttributes# {get,set}Attribute for handling visibility labels in the
> - Implement a new filter for evaluating visibility labels as KVs are streamed through.
> This approach would be consistent in deployment and API details with other per-KV security
work, supporting environments where they might be both be employed, even stacked on some tables.
> See the parent issue for more discussion.

This message was sent by Atlassian JIRA

View raw message