hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-6192) Document ACL matrix in the book
Date Thu, 19 Jun 2014 23:14:27 GMT

    [ https://issues.apache.org/jira/browse/HBASE-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14038083#comment-14038083
] 

Andrew Purtell commented on HBASE-6192:
---------------------------------------

bq. Can you grant at the RegionServer or master level or any others?

It's probably more useful to describe permissions as fitting into levels in the data model
as opposed to what particular daemon might be involved in decisionmaking. The hierarchy is
global -> namespace -> table -> cf -> cq -> cell. We start checking if the
user has the necessary permission bit at the top of the hierarchy and walk down until we find
a grant. So a bit granted at table level dominates any grants done at the cf, cf+cq, or cell
level; the user can do what that bit implies at any location in the table. Or, a bit granted
at global scope dominates all, the user is always allowed to take that action everywhere.


Mostly, permissions for global administrative and schema operations are checked in the master,
while permissions for queries and mutations are checked at the region level (since coprocessors
can be installed on a per table basis). We also do one check for ADMIN capability at the RegionServer
level, if the user is allowed to issue a stop request. Some admin actions like flush, compact,
and split requests are also checked at the region level, because clients can issue those directly
to the regionservers. 

> Document ACL matrix in the book
> -------------------------------
>
>                 Key: HBASE-6192
>                 URL: https://issues.apache.org/jira/browse/HBASE-6192
>             Project: HBase
>          Issue Type: Task
>          Components: documentation, security
>    Affects Versions: 0.94.1, 0.95.2
>            Reporter: Enis Soztutar
>            Assignee: Misty Stanley-Jones
>              Labels: documentaion, security
>             Fix For: 0.99.0
>
>         Attachments: HBASE-6192-2.patch, HBASE-6192-rebased.patch, HBASE-6192.patch,
HBase Security-ACL Matrix.pdf, HBase Security-ACL Matrix.pdf, HBase Security-ACL Matrix.pdf,
HBase Security-ACL Matrix.xls, HBase Security-ACL Matrix.xls, HBase Security-ACL Matrix.xls
>
>
> We have an excellent matrix at https://issues.apache.org/jira/secure/attachment/12531252/Security-ACL%20Matrix.pdf
for ACL. Once the changes are done, we can adapt that and put it in the book, also add some
more documentation about the new authorization features. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message