hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-11432) [AccessController] Remove cell first strategy
Date Sat, 28 Jun 2014 16:50:26 GMT

    [ https://issues.apache.org/jira/browse/HBASE-11432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14046920#comment-14046920
] 

Andrew Purtell commented on HBASE-11432:
----------------------------------------

bq. This first 'if' check will mean that even if compatibleEarlyTermination is false or true
it is not going to check the cell level permission. 

cellFeaturesEnabled is always true unless running with HFile < 3, so in the typical case
this expression is 
{code}
if (false || compatibleEarlyTermination)
{code}
So this is really a test for 'compatibleEarlyTermination'.

{quote}
But if we allow that then the || condition in
{code}
        if (authManager.authorize(user, table, family, qualifier, Permission.Action.READ)
||
            authManager.authorize(user, table, cell, Permission.Action.READ)) {
          return ReturnCode.INCLUDE;
        }
{code}
has to be changed to
{code}
authManager.authorize(user, table, cell, Permission.Action.READ)) 
{code}
{quote}

This code is also called from AccessControlFilter when processing scans. 

> [AccessController] Remove cell first strategy
> ---------------------------------------------
>
>                 Key: HBASE-11432
>                 URL: https://issues.apache.org/jira/browse/HBASE-11432
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Andrew Purtell
>            Assignee: Andrew Purtell
>             Fix For: 0.99.0, 0.98.4
>
>         Attachments: HBASE-11432.patch
>
>
> The cell first evaluation strategy for cell ACLs has been a problem since introduction.
It was an afterthought and a mistake. It's not possible to use at all with the default config
on trunk after HBASE-11077. Fairly certain there are no users. Remove. Deprecate related client
API methods on Query. (Remove on trunk?)



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message