hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anoop Sam John (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-12823) Visibility label security at limited localized level
Date Tue, 13 Jan 2015 03:58:34 GMT

    [ https://issues.apache.org/jira/browse/HBASE-12823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14274664#comment-14274664
] 

Anoop Sam John commented on HBASE-12823:
----------------------------------------

Having an offline talk with [~jerryhe], one scenario is that many tables in the cluster but
only one or 2 having vis labelled data.    On scan the VC will install a new Filter to Scan
which goes through the tags in every cell.  (Well if there are no tags, negligible impact,
but there are some other tags...)   For those tables where vis labelled data need not be stored,
no need for any extra overhead.
We allow CPs can be installed at table level also. 
A solution for above scenario is to install VC as Master CP but not as region CP at cluster
level.  Add VC to only those table for which we need to store vis labelled data.  (Also VC
need to configured as RS CP as we have replication rewrite and if no replication scenario
just leave it)
Only thing missing from code now is we need VC to be installed on labels table itself. If
we are not installing VC at cluster level (but only per table level) the labels table will
not get this..
This can be fixed with a simple change to add VC cp into labels table when we create it in
VC#postStartMaster.
Is this better and enough for now [~jerryhe]?


> Visibility label security at limited localized level
> ----------------------------------------------------
>
>                 Key: HBASE-12823
>                 URL: https://issues.apache.org/jira/browse/HBASE-12823
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 1.0.0, 2.0.0, 0.98.10
>            Reporter: Jerry He
>             Fix For: 2.0.0
>
>
> Currently, if visibility label security is enabled for a HBase instance, after VisibilityController
is configured, the cell level visibility label filtering will kick in across the HBase instance.
> Cell level visibility label filtering has non-negligible performance impact.
> On the other hand, in many use cases, only a small portion of the overall data needs
visibility label protection.
> If we can support  visibility label security at a limited and localized level, we will
broaden the use cases and the adoption of this feature.
> We should be able to support visibility label security at per table or per column family
level. This is quite common in many other HBase features.
> Cell level visibility label filtering will only be enabled and kick in for the tables
or column families that the user designates.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message