hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jerry He (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-12466) Document visibility scan label generator usage and behavior
Date Mon, 02 Mar 2015 18:17:05 GMT

    [ https://issues.apache.org/jira/browse/HBASE-12466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14343523#comment-14343523
] 

Jerry He commented on HBASE-12466:
----------------------------------

Hi, [~misty]

bq.  A superuser can see the default set of authorizations for a given user by using the `set_auths`
HBase Shell command or the link:http://hbase.apache.org/devapidocs/org/apache/hadoop/hbase/security/visibility/VisibilityClient.htmlsgetAuths%28org.apache.hadoop.conf.Configuration,%20java.lang.String%29[setAuths()]
method.

There is a mismatch of the link (setAuths) and the method (get).  Also do you mean "A superuser
can set ..."?

bq. +The default implementation class is `org.apache.hadoop.hbase.security.visibility.DefaultScanLabelGenerator`,
which was implemented in link:https://issues.apache.org/jira/browse/HBASE-12466[HBASE-12468].

There is no more 'org.apache.hadoop.hbase.security.visibility.DefaultScanLabelGenerator'.
It has been changed/removed.  See the following comment in the org.apache.hadoop.hbase.security.visibility.VisibilityUtils#getScanLabelGenerators().
 Also there is a mismatch between the JIRA link and the real real JIRA number.

{code}
    // If no SLG is specified in conf, by default we'll add two SLGs
    // 1. FeedUserAuthScanLabelGenerator
    // 2. DefinedSetFilterScanLabelGenerator
    // This stacking will achieve the following default behavior:
    // 1. If there is no Auths in the scan, we will obtain the global defined set for the
user
    //    from the labels table.
    // 2. If there is Auths in the scan, we will examine the passed in Auths and filter out
the
    //    labels that the user is not entitled to. Then use the resulting label set.
    if (slgs.isEmpty()) {
      slgs.add(ReflectionUtils.newInstance(FeedUserAuthScanLabelGenerator.class, conf));
      slgs.add(ReflectionUtils.newInstance(DefinedSetFilterScanLabelGenerator.class, conf));
    }
    return slgs;
{code}

> Document visibility scan label generator usage and behavior
> -----------------------------------------------------------
>
>                 Key: HBASE-12466
>                 URL: https://issues.apache.org/jira/browse/HBASE-12466
>             Project: HBase
>          Issue Type: Task
>          Components: documentation, security
>            Reporter: Jerry He
>            Assignee: Misty Stanley-Jones
>         Attachments: HBASE-12466.patch
>
>
> Document the SLGs we provide and their behavior.
> Document the out-of-box default behavior.
> Document how to configure SLG if non-default behavior is desired. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message