hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jerry He (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-12745) Visibility Labels: support visibility labels for user groups.
Date Tue, 23 Dec 2014 03:31:13 GMT

     [ https://issues.apache.org/jira/browse/HBASE-12745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jerry He updated HBASE-12745:
-----------------------------
    Attachment: HBASE-12745-master-v1.patch

Attached v1 patch.

A brief explanation of the design:

1)  The group's visibility labels are persisted in the label table the same way as users.
The entry key is '@group_name'

2)  The group entries are dynamically interpreted and and kept in cash.

3)  All server side visibility labels get and check will apply to both user and the groups
that the user belongs to.

4) But client side get_auths call will only get the result explicit for that user only or
for that group (if parameter is @group) only.

5) Client side clear_auths call can only clear explicit for that user without expansion to
implicit group rights.

> Visibility Labels:  support visibility labels for user groups.
> --------------------------------------------------------------
>
>                 Key: HBASE-12745
>                 URL: https://issues.apache.org/jira/browse/HBASE-12745
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 1.0.0, 0.98.9, 0.99.2
>            Reporter: Jerry He
>            Assignee: Jerry He
>         Attachments: HBASE-12745-master-v1.patch
>
>
> The thinking is that we should support visibility labels to be associated with user groups.
> We will then be able grant visibility labels to a group in addition to individual users,
which provides convenience and usability.
> We will use '@group' to denote a group name, as similarly done in AcccessController.
> For example, 
> {code}
> set_auths '@group1', ['SECRET','PRIVATE']
> {code}
> {code}
> get_auth '@group1'
> {code}
> A user belonging to 'group1' will have all the visibility labels granted to 'group1'
> We'll also support super user groups as specified in hbase-site.xml.
> The code update will mainly be on the server side VisibilityLabelService implementation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message