hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anoop Sam John (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-10326) Super user should be able scan all the cells irrespective of the visibility labels
Date Mon, 13 Jan 2014 10:28:57 GMT

    [ https://issues.apache.org/jira/browse/HBASE-10326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869408#comment-13869408
] 

Anoop Sam John commented on HBASE-10326:
----------------------------------------

Patch looks good Ram.
Pls correct the white spaces introduced after checkIfScanOrGetFromSuperUser private method.
{code}
+    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    try {
+      BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
+      AccessControlService.BlockingInterface protocol = AccessControlService
+          .newBlockingStub(service);
+      ProtobufUtil.grant(protocol, NORMAL_USER2.getShortName(), tableName, null, null,
+          Permission.Action.READ);
+    } finally {
+      acl.close();
+    }
{code}
Instead can use AccessControlClient#grant ?   This code is repeated in tests..

Thanks for the patch.


> Super user should be able scan all the cells irrespective of the visibility labels
> ----------------------------------------------------------------------------------
>
>                 Key: HBASE-10326
>                 URL: https://issues.apache.org/jira/browse/HBASE-10326
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 0.98.0
>            Reporter: ramkrishna.s.vasudevan
>            Assignee: ramkrishna.s.vasudevan
>            Priority: Critical
>              Labels: security
>             Fix For: 0.98.0, 0.99.0
>
>         Attachments: HBASE-10326.patch, HBASE-10326_1.patch
>
>
> This issue is in lieu with HBASE-10322.  In case of export tool, when the cells with
visibility labels are exported using a super user we should be able to export the data.  But
with the current implementation, the super user would also be able to view cells that has
visibility labels associated with the superuser.  The idea of HBASE-10322 is to strip out
tags based on user and if so this change is necessary for export tool to work with Visibility.
 ACL already has a concept of global admins.  



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message