hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-12346) Scan's default auths behavior under Visibility labels
Date Sat, 01 Nov 2014 06:19:34 GMT

    [ https://issues.apache.org/jira/browse/HBASE-12346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14192978#comment-14192978
] 

Hadoop QA commented on HBASE-12346:
-----------------------------------

{color:green}+1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12678663/HBASE-12346-master-v3.patch
  against trunk revision .
  ATTACHMENT ID: 12678663

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 5 new or modified
tests.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of
javac compiler warnings.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of
javac compiler warnings.

    {color:green}+1 javadoc{color}.  The javadoc tool did not generate any warning messages.

    {color:green}+1 checkstyle{color}.  The applied patch does not increase the total number
of checkstyle errors

    {color:green}+1 findbugs{color}.  The patch does not introduce any new Findbugs (version
2.0.3) warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number
of release audit warnings.

    {color:green}+1 lineLengths{color}.  The patch does not introduce lines longer than 100

  {color:green}+1 site{color}.  The mvn site goal succeeds with this patch.

    {color:green}+1 core tests{color}.  The patch passed unit tests in .

Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-rest.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/newPatchFindbugsWarningshbase-annotations.html
Checkstyle Errors: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//artifact/patchprocess/checkstyle-aggregate.html

  Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/11552//console

This message is automatically generated.

> Scan's default auths behavior under Visibility labels
> -----------------------------------------------------
>
>                 Key: HBASE-12346
>                 URL: https://issues.apache.org/jira/browse/HBASE-12346
>             Project: HBase
>          Issue Type: Bug
>          Components: API, security
>    Affects Versions: 0.98.7, 0.99.1
>            Reporter: Jerry He
>             Fix For: 0.98.8, 0.99.2
>
>         Attachments: HBASE-12346-master-v2.patch, HBASE-12346-master-v3.patch, HBASE-12346-master.patch
>
>
> In Visibility Labels security, a set of labels (auths) are administered and associated
with a user.
> A user can normally  only see cell data during scan that are part of the user's label
set (auths).
> Scan uses setAuthorizations to indicates its wants to use the auths to access the cells.
> Similarly in the shell:
> {code}
> scan 'table1', AUTHORIZATIONS => ['private']
> {code}
> But it is a surprise to find that setAuthorizations seems to be 'mandatory' in the default
visibility label security setting.  Every scan needs to setAuthorizations before the scan
can get any cells even the cells are under the labels the request user is part of.
> The following steps will illustrate the issue:
> Run as superuser.
> {code}
> 1. create a visibility label called 'private'
> 2. create 'table1'
> 3. put into 'table1' data and label the data as 'private'
> 4. set_auths 'user1', 'private'
> 5. grant 'user1', 'RW', 'table1'
> {code}
> Run as 'user1':
> {code}
> 1. scan 'table1'
> This show no cells.
> 2. scan 'table1', scan 'table1', AUTHORIZATIONS => ['private']
> This will show all the data.
> {code}
> I am not sure if this is expected by design or a bug.
> But a more reasonable, more client application backward compatible, and less surprising
default behavior should probably look like this:
> A scan's default auths, if its Authorizations attributes is not set explicitly, should
be all the auths the request user is administered and allowed on the server.
> If scan.setAuthorizations is used, then the server further filter the auths during scan:
use the input auths minus what is not in user's label set on the server.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message