hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anoop Sam John (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization
Date Fri, 27 Mar 2015 11:18:54 GMT

    [ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14383673#comment-14383673

Anoop Sam John commented on HBASE-13275:

bq.Of course you'll want to drop the ACL table before starting over with active enforcement,
issuing necessary grants again.
So what will be the real adv of we allow the admin ops in passive mode? Am I missing any thing?

bq.Regarding cell ACLs, ACL tags can be submitted directly by the client via cells with tags
unless the AC is installed. It's no different if the AC is passive. Either way when you set
up for enforcement you'll want to wipe the data and start new. Or, if this is a case where
an insecure application is being migrated to a secure environment (with or without a passive
trial) then we'd already need a migration tool that sanitizes pre-existing data.
One correction Andy..  It is not possible for the client to pass the cell acl (and vis labels)
directly within Cell. That should not be allowed in future also IMO. Right now any way we
dont allow passing Tags from client to server (Unless user is a super user)

> Setting hbase.security.authorization to false does not disable authorization
> ----------------------------------------------------------------------------
>                 Key: HBASE-13275
>                 URL: https://issues.apache.org/jira/browse/HBASE-13275
>             Project: HBase
>          Issue Type: Bug
>            Reporter: William Watson
>            Assignee: Andrew Purtell
>             Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13
>         Attachments: HBASE-13275.patch, HBASE-13275.patch
> According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is
the list of configs to enable authorization in HBase:
> {code}
> <property>
>      <name>hbase.security.authorization</name>
>      <value>true</value>
> </property>
> <property>
>      <name>hbase.coprocessor.master.classes</name>
>      <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>      <name>hbase.coprocessor.region.classes</name>
>      <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> {code}
> We wanted to then disable authorization but simply setting hbase.security.authorization
to false did not disable the authorization

This message was sent by Atlassian JIRA

View raw message