hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-10823) Resolve LATEST_TIMESTAMP to current server time before scanning for ACLs
Date Sat, 12 Apr 2014 17:34:14 GMT

    [ https://issues.apache.org/jira/browse/HBASE-10823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13967594#comment-13967594

Andrew Purtell commented on HBASE-10823:

bq. (Anoop) So in the acl check place also we might have to do ts based cell skip.This we
can do in a follow on Jira. Also we will need all fancy test cases.

Agree, this is what I meant above about " We may have to resort to a custom filter ultimately."

bq. (Ram)  The exact version deletion also check for the preceeding version though the latest
version allows the permission

Agree, exact version deletion should not check earlier versions. 

So to proceed, seems consensus is we commit the patch on this issue and resolve it to improve
existing behavior wrt future timestamps, and then carry the further work forward to a new
JIRA. We can do either or both of the below two things (or other ideas?):

1. Further improve the covering permissions check in the AccessController by building a map
of TimeRanges, pass this map to a custom filter, and have the custom filter select what cells
are relevant for ACL checks. This is what I would like to try as the next step.

2. Add Get#addColumn and Get#addFamily methods that take a timestamp like Delete#deleteColumn
and Delete#deleteFamily and add support in the query trackers. Essentially provide a mode
for Get that has the exact same semantics as Delete. I have not looked into this in detail
but it feels complicated. 

> Resolve LATEST_TIMESTAMP to current server time before scanning for ACLs
> ------------------------------------------------------------------------
>                 Key: HBASE-10823
>                 URL: https://issues.apache.org/jira/browse/HBASE-10823
>             Project: HBase
>          Issue Type: Improvement
>    Affects Versions: 0.98.1
>            Reporter: Andrew Purtell
>            Assignee: Andrew Purtell
>            Priority: Minor
>             Fix For: 0.99.0, 0.98.2
>         Attachments: HBASE-10823.patch, HBASE-10823.patch, HBASE-10823.patch, test.patch
> Storing values with timestamps in the future is probably bad practice and can lead to
surprises. If cells with timestamps in the future have ACLs, permissions from those ACLs will
incorrectly be considered for authorizing the pending mutation. For sure that will be surprising.
> We should be able to avoid this case by resolving LATEST_TIMESTAMP to the current server
time when creating the internal scanner for finding ACLs in the covered cell set. 
> Documenting a todo item from a discussion between [~anoop.hbase] and myself.

This message was sent by Atlassian JIRA

View raw message