hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jerry He (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-12644) Visibility Labels: issue with storing super users in labels table
Date Sat, 13 Dec 2014 21:31:13 GMT

    [ https://issues.apache.org/jira/browse/HBASE-12644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14245547#comment-14245547
] 

Jerry He commented on HBASE-12644:
----------------------------------

Hi, Ted

If we want to do any cleaning of the super users from the labels table automatically, currently
there is no way to tell the super users from the normal users who were explicitly granted
'system' label. 
Also for rolling upgrade to work continuously, we probably can not delete the super user entries
in the labels table until the rolling upgrade is entirely completed.


> Visibility Labels: issue with storing super users in labels table
> -----------------------------------------------------------------
>
>                 Key: HBASE-12644
>                 URL: https://issues.apache.org/jira/browse/HBASE-12644
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.98.8, 0.99.2
>            Reporter: Jerry He
>            Assignee: Jerry He
>             Fix For: 1.0.0, 2.0.0, 0.98.10
>
>         Attachments: 12644-0.98.patch, HBASE-12644-master-v2.patch, HBASE-12644-master-v3.patch,
HBASE-12644-master.patch
>
>
> Super users have all the permissions for ACL and Visibility labels.
> They are defined in hbase-site.xml.
> Currently in VisibilityController, we persist super user with their system permission
in hbase:labels.
> This makes change in super user difficult.
> There are two issues:
> In the current DefaultVisibilityLabelServiceImpl.addSystemLabel, we only add super user
when we initially create the 'system' label.
> No additional update after that even if super user changed. See code for details.
>  
> Additionally, there is no mechanism to remove any super user from the labels table.
>  
> We probably should not persist super users in the labels table.
> They are in hbase-site.xml and can just stay in labelsCache and used from labelsCache
after retrieval by Visibility Controller.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message