hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HBASE-10326) Super user should be able scan all the cells irrespective of the visibility labels
Date Mon, 13 Jan 2014 17:23:02 GMT

    [ https://issues.apache.org/jira/browse/HBASE-10326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869711#comment-13869711
] 

Andrew Purtell edited comment on HBASE-10326 at 1/13/14 5:21 PM:
-----------------------------------------------------------------

bq. Instead can use AccessControlClient#grant ? This code is repeated in tests..

Or use the new grant/revoke methods in SecureTestUtils, which are designed for granting or
revoking in tests. They do things only possible in miniclusters to insure the AC has propagated
the grant to all caches first, to avoid flapping tests.

Are the changes to TestVisibilityLabels needed? The test runs under the superuser implicitly
right? There is no functional change though, would be fine to keep them.

What do the new tests in TestVisibilityLabelsWithACL do? Comment, please.


was (Author: apurtell):
bq. Instead can use AccessControlClient#grant ? This code is repeated in tests..

Or use the new grant/revoke methods in SecureTestUtils methods for granting, which also insures
the AC has propagated the grant to all caches first, to avoid racing tests.

Are the changes to TestVisibilityLabels needed? The test runs under the superuser implicitly
right? There is no functional change though, would be fine to keep them.

What do the new tests in TestVisibilityLabelsWithACL do? Comment, please.

> Super user should be able scan all the cells irrespective of the visibility labels
> ----------------------------------------------------------------------------------
>
>                 Key: HBASE-10326
>                 URL: https://issues.apache.org/jira/browse/HBASE-10326
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 0.98.0
>            Reporter: ramkrishna.s.vasudevan
>            Assignee: ramkrishna.s.vasudevan
>            Priority: Critical
>              Labels: security
>             Fix For: 0.98.0, 0.99.0
>
>         Attachments: HBASE-10326.patch, HBASE-10326_1.patch
>
>
> This issue is in lieu with HBASE-10322.  In case of export tool, when the cells with
visibility labels are exported using a super user we should be able to export the data.  But
with the current implementation, the super user would also be able to view cells that has
visibility labels associated with the superuser.  The idea of HBASE-10322 is to strip out
tags based on user and if so this change is necessary for export tool to work with Visibility.
 ACL already has a concept of global admins.  



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message