hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-10863) Scan doesn't return rows for user who has authorization by visibility label
Date Sat, 29 Mar 2014 03:11:15 GMT

    [ https://issues.apache.org/jira/browse/HBASE-10863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13951722#comment-13951722
] 

Ted Yu commented on HBASE-10863:
--------------------------------

In region server log, I found:
{code}
2014-03-28 20:11:20,449 DEBUG [RpcServer.handler=19,port=60020] visibility.DefaultScanLabelGenerator:
Labels [A] in Scan/Get visibility attributes dropped as user oozie/hor9n04@H.NET having no
auth set for those.
{code}
This was due to oozie/hor9n04@H.NET being parameter for kinit command.

I came up with a patch which uses user.getShortName() to retrieve labels if user.getName()
results in empty passedLabels.

Still debugging.

> Scan doesn't return rows for user who has authorization by visibility label
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-10863
>                 URL: https://issues.apache.org/jira/browse/HBASE-10863
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 0.98.1
>            Reporter: Ted Yu
>            Assignee: ramkrishna.s.vasudevan
>
> In secure deployment of 0.98 tip, I did:
> as user hbase:
> {code}
> add_labels 'A'
> create 'tb', 'f1'
> put 'tb', 'row', 'f1:q', 'v1', {VISIBILITY=>'A'}
> set_auths 'oozie', ['A']
> {code}
> as user oozie:
> {code}
> hbase(main):001:0> scan 'tb', { AUTHORIZATIONS => ['A']}
> ROW                                          COLUMN+CELL
> 0 row(s) in 0.1030 seconds
> {code}
> Here is my config:
> {code}
>   <property>
>     <name>hfile.format.version</name>
>     <value>3</value>
>   </property>
>   <property>
>    <name>hbase.coprocessor.master.classes</name>
>    <value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
>   </property>
>   <property>
>    <name>hbase.coprocessor.region.classes</name>
>    <value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
>   </property>
>   <property>
>    <name>hbase.regionserver.scan.visibility.label.generator.class</name>
>    <value>org.apache.hadoop.hbase.security.visibility.DefaultScanLabelGenerator</value>
>   </property>
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message