hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-7123) Refactor internal methods in AccessController
Date Sun, 04 May 2014 17:59:14 GMT

    [ https://issues.apache.org/jira/browse/HBASE-7123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13989067#comment-13989067
] 

Andrew Purtell commented on HBASE-7123:
---------------------------------------

When refactoring permissionGranted, requirePermission, and related functions, make the decisionmaking
the evaluation of a chain of predicates. The chain can be configured by site configuration
or perhaps a security policy file.

We can incorporate HBASE-11095 as a predicate implementation.

> Refactor internal methods in AccessController
> ---------------------------------------------
>
>                 Key: HBASE-7123
>                 URL: https://issues.apache.org/jira/browse/HBASE-7123
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Andrew Purtell
>
> The authorize(), permissionGranted(), and requirePermission() methods in AccessController
have organically grown as both the HBase client API and the AccessController itself have evolved,
and now have several problems:
> - Code duplication (minor)
> - Unused variants (minor)
> - Signatures optimized for checking certain operations that have a familyMap. Unfortunately
different operations have different ideas of what type a familyMap should be. This leads to
runtime type checking and the need to convert one family map to another (e.g. {{Map<byte[],
NavigableMap<byte[],Object>>}} to {{Map<byte[], Set<byte[]>>}} (That
kind of conversion code in a hot path hurts to look at.) There are too many Java collection
type combinations floating around. Some of this should be approached at the client API level
too, for example with HBASE-7114.
> - Only one Permission.Action can be checked at a time. We should really convert these
into a bitmap if multiple actions need checking and pass that around instead.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message