Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 46D7111A72 for ; Wed, 30 Apr 2014 17:40:32 +0000 (UTC) Received: (qmail 60377 invoked by uid 500); 30 Apr 2014 17:40:16 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 60310 invoked by uid 500); 30 Apr 2014 17:40:15 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 60294 invoked by uid 99); 30 Apr 2014 17:40:15 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Apr 2014 17:40:15 +0000 Date: Wed, 30 Apr 2014 17:40:15 +0000 (UTC) From: "Andrew Purtell (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HBASE-11077) [AccessController] Restore compatible early-out access denial MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-11077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-11077: ----------------------------------- Release Note: Prior to 0.98.0 if a user was not granted access to a column family or partial access (qualifier grants), then the AccessController would immediately throw back an AccessDeniedException. This behavior was changed in 0.98.0 to allow cell level ACLs to grant exceptional access. The user will no longer see an exception; instead the scanner will return result sets only including cells which grant exceptional access. If no such cell level grants are made, then the scanner will return the empty result set. This change introduces a configuration setting which restores the pre-0.98.0 behavior. It can be set in the site file for global effect, or per table using HTableDescriptor#setConfiguration. This setting is AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT ("hbase.security.access.early_out"), a boolean. Set to "true" for backwards compatible behavior. As a consequence if there are no grants at the CF level then cell ACLs will be ignored unless the cell-first ACL evaluation strategy is used (toggled via Query#setACLStrategy). Added release note > [AccessController] Restore compatible early-out access denial > ------------------------------------------------------------- > > Key: HBASE-11077 > URL: https://issues.apache.org/jira/browse/HBASE-11077 > Project: HBase > Issue Type: Sub-task > Reporter: Andrew Purtell > Assignee: Andrew Purtell > Priority: Critical > Fix For: 0.99.0, 0.98.2 > > Attachments: HBASE-11077.patch, HBASE-11077.patch, HBASE-11077.patch, HBASE-11077.patch > > > See parent for the whole story. > For 0.98, to start, just put back the early out that was removed in 0.98.0 and allow it to be overridden with a table attribute. -- This message was sent by Atlassian JIRA (v6.2#6252)