hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jerry He (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-12823) Visibility label security at limited localized level
Date Wed, 14 Jan 2015 19:23:34 GMT

    [ https://issues.apache.org/jira/browse/HBASE-12823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14277505#comment-14277505
] 

Jerry He commented on HBASE-12823:
----------------------------------

Thanks for the comments.

I will look more into the performance related to security labels and tags.

Regarding Anoop's suggestion, there is one thing that may be a security concern.  You security
experts can chime in.
If VC is controlled by table attribute, then it can be altered by user with ACL (A or C) on
the table.
It is possible that users with ACL (A or C) permission on TableA are not allowed to access
data in TableA or bypass the visibility protection?

> Visibility label security at limited localized level
> ----------------------------------------------------
>
>                 Key: HBASE-12823
>                 URL: https://issues.apache.org/jira/browse/HBASE-12823
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 1.0.0, 2.0.0, 0.98.10
>            Reporter: Jerry He
>             Fix For: 2.0.0
>
>
> Currently, if visibility label security is enabled for a HBase instance, after VisibilityController
is configured, the cell level visibility label filtering will kick in across the HBase instance.
> Cell level visibility label filtering has non-negligible performance impact.
> On the other hand, in many use cases, only a small portion of the overall data needs
visibility label protection.
> If we can support  visibility label security at a limited and localized level, we will
broaden the use cases and the adoption of this feature.
> We should be able to support visibility label security at per table or per column family
level. This is quite common in many other HBase features.
> Cell level visibility label filtering will only be enabled and kick in for the tables
or column families that the user designates.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message