hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization
Date Sat, 21 Mar 2015 02:17:38 GMT

    [ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14372449#comment-14372449
] 

Andrew Purtell edited comment on HBASE-13275 at 3/21/15 2:16 AM:
-----------------------------------------------------------------

Patch for master.

Grep for 'authorizationEnabled' to catch where all the changes have been made.

The idea is if the coprocessors are loaded but authorization is disabled, then we enter a
passive mode where we maintain state, allow administrative actions (without authorization
checks), carry forward cell tags, etc. I figure although it's weird if the coprocessors are
loaded but authorization is disabled, there can be a use case for this. For example, the AccessController
can be installed in a passive mode, the admin can issue grants, the application can store
with ACL operation attrs and these will get carried through into KeyValues, users/applications
can test permissions with the check permissions API*, etc. and at some point the cluster admin
can toggle the "hbase.security.authorization" switch to 'true' and permissions will be enforced
for real. 

Disabling authorization also has the side effect of disabling auditing, except where users
invoke the service APIs, like AC grant or revoke, or VC label add or assignment. I could look
at leaving audit enabled but this would touch a lot more lines of code. 

* - Checking permissions will only work on ACL grants above the cell level, because these
changes bypass all filtering by cell ACLs or visibility labels. I'm not sure how one would
be passive and return all results yet also return indication where cells should have been
filtered out. That's going too far with it, I think.


was (Author: apurtell):
Patch for master.

Grep for 'authorizationEnabled' to catch where all the changes have been made.

The idea is if the coprocessors are loaded but authorization is disabled, then we enter a
passive mode where we maintain state, allow administrative actions (without authorization
checks), carry forward cell tags, etc. I figure although it's weird if the coprocessors are
loaded but authorization is disabled, there can be a use case for this. For example, the AccessController
can be installed in a passive mode, the admin can issue grants, the application can store
with ACL operation attrs and these will get carried through into KeyValues, users/applications
can test permissions with the check permissions API, etc. and at some point the cluster admin
can toggle the "hbase.security.authorization" switch to 'true' and permissions will be enforced
for real. 

Disabling authorization also has the side effect of disabling auditing, except where users
invoke the service APIs, like AC grant or revoke, or VC label add or assignment. I could look
at leaving audit enabled but this would touch a lot more lines of code. 

> Setting hbase.security.authorization to false does not disable authorization
> ----------------------------------------------------------------------------
>
>                 Key: HBASE-13275
>                 URL: https://issues.apache.org/jira/browse/HBASE-13275
>             Project: HBase
>          Issue Type: Bug
>            Reporter: William Watson
>            Assignee: Andrew Purtell
>             Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13
>
>         Attachments: HBASE-13275.patch
>
>
> According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is
the list of configs to enable authorization in HBase:
> {code}
> <property>
>      <name>hbase.security.authorization</name>
>      <value>true</value>
> </property>
> <property>
>      <name>hbase.coprocessor.master.classes</name>
>      <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>      <name>hbase.coprocessor.region.classes</name>
>      <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> {code}
> We wanted to then disable authorization but simply setting hbase.security.authorization
to false did not disable the authorization



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message