hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HBASE-11077) [AccessController] Restore compatible early-out access denial
Date Wed, 30 Apr 2014 21:53:18 GMT

    [ https://issues.apache.org/jira/browse/HBASE-11077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13986124#comment-13986124
] 

Andrew Purtell edited comment on HBASE-11077 at 4/30/14 9:53 PM:
-----------------------------------------------------------------

bq. I think early_out should be set to true by default, so that it is least surprise to the
admin.

Then we break compatibility from 0.98.1 to 0.98.2, in that default behavior prior to 0.98.2
in the 0.98 release line is quite different. And, unfortunately cell ACLs would become largely
useless, unless the admin research the feature and flip the attribute to "false", because
when we early out at CF checks to retain pre-0.98 behavior the cell ACLs that would otherwise
grant exceptional access won't be visited, unless using the cell-first strategy, which has
the drawback of requiring the cell grant access. 

bq. Did you stop pursuing the READ_INVISIBLE priv aproach?

Check out the other subtask and let's figure out what makes sense for 0.99+. 

Edits: Clarity, sorry for the multiple changes.


was (Author: apurtell):
bq. I think early_out should be set to true by default, so that it is least surprise to the
admin.

Then we break compatibility from 0.98.1 to 0.98.2. And, cell ACLs become largely useless,
since we early out at CF checks, they can't grant exceptional access unless using the cell-first
strategy, which has the drawback of requiring the cell grant access. 

bq. Did you stop pursuing the READ_INVISIBLE priv aproach?

Check out the other subtask and let's figure out what makes sense for 0.99+. It's not a trivial
discussion.

> [AccessController] Restore compatible early-out access denial
> -------------------------------------------------------------
>
>                 Key: HBASE-11077
>                 URL: https://issues.apache.org/jira/browse/HBASE-11077
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Andrew Purtell
>            Assignee: Andrew Purtell
>            Priority: Critical
>             Fix For: 0.99.0, 0.98.2
>
>         Attachments: HBASE-11077.patch, HBASE-11077.patch, HBASE-11077.patch, HBASE-11077.patch
>
>
> See parent for the whole story.
> For 0.98, to start, just put back the early out that was removed in 0.98.0 and allow
it to be overridden with a table attribute. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message