hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anoop Sam John (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-12745) Visibility Labels: support visibility labels for user groups.
Date Thu, 08 Jan 2015 06:47:35 GMT

    [ https://issues.apache.org/jira/browse/HBASE-12745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14268906#comment-14268906
] 

Anoop Sam John commented on HBASE-12745:
----------------------------------------

One suggestion
{code}
-  public boolean havingSystemAuth(byte[] user) throws IOException {
+  public boolean havingSystemAuth(User user) throws IOException {
     // A super user has 'system' auth.
     if (isSystemOrSuperUser(user)) {
       return true;
     }
     // A user can also be explicitly granted 'system' auth.
-    List<String> auths = this.getAuths(user, true);
+    Set<String> auths = new HashSet<String>();
+    auths.addAll(this.getUserAuths(Bytes.toBytes(user.getShortName()), true));
+    auths.addAll(this.getGroupAuths(user.getGroupNames(), true));
     if (LOG.isTraceEnabled()) {
-      LOG.trace("The auths for user " + Bytes.toString(user) + " are " + auths);
+      LOG.trace("The auths for user " + user.getShortName() + " are " + auths);
     }
     return auths.contains(SYSTEM_LABEL);
   }
   {code}
 Better do early check for SYSTEM_LABEL for user auths and early out.  Then go with group
auths

Else looks good..

> Visibility Labels:  support visibility labels for user groups.
> --------------------------------------------------------------
>
>                 Key: HBASE-12745
>                 URL: https://issues.apache.org/jira/browse/HBASE-12745
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 1.0.0, 0.98.9, 0.99.2
>            Reporter: Jerry He
>            Assignee: Jerry He
>             Fix For: 2.0.0
>
>         Attachments: HBASE-12745-master-v1.patch, HBASE-12745-master-v2.patch, HBASE-12745-master-v3.patch
>
>
> The thinking is that we should support visibility labels to be associated with user groups.
> We will then be able grant visibility labels to a group in addition to individual users,
which provides convenience and usability.
> We will use '@group' to denote a group name, as similarly done in AcccessController.
> For example, 
> {code}
> set_auths '@group1', ['SECRET','PRIVATE']
> {code}
> {code}
> get_auth '@group1'
> {code}
> A user belonging to 'group1' will have all the visibility labels granted to 'group1'
> We'll also support super user groups as specified in hbase-site.xml.
> The code update will mainly be on the server side VisibilityLabelService implementation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message