hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization
Date Fri, 27 Mar 2015 17:47:56 GMT

    [ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14384229#comment-14384229

Andrew Purtell commented on HBASE-13275:

bq. So what will be the real adv of we allow the admin ops in passive mode? Am I missing any

I personally wouldn't install the security coprocessors if I didn't want them active, because
of the performance hit, but stepped back and considered if there's any use for it. Certainly
you can imagine "try before you buy" pilots, where ACLs are put in place and there are reviews
of the audit logs to determine if policy is working as expected. 

Turn this question around. What if we just disabled everything with 'hbase.security.authorization'=false,
even audit logging and the ability to set up test grants. Then the coprocessor is just dead
weight. At least here there is the possibility of some usefulness. 

Either disabling _everything_ or the "passive mode" I suggest will meet the objective of this
issue which is 'setting hbase.security.authorization to false does not disable authorization.
 So why not do the thing which may provide users more utility? 

If you are still not swayed by this argument, I don't care that much, we can just disable

bq. Right now any way we dont allow passing Tags from client to server (Unless user is a super
I pass cell TTLs through in KeyValues in some HRegion tests, but I see I'm using the region
object directly, so was confused about this. But all that prevents this is the codec implementation,

> Setting hbase.security.authorization to false does not disable authorization
> ----------------------------------------------------------------------------
>                 Key: HBASE-13275
>                 URL: https://issues.apache.org/jira/browse/HBASE-13275
>             Project: HBase
>          Issue Type: Bug
>            Reporter: William Watson
>            Assignee: Andrew Purtell
>             Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13
>         Attachments: HBASE-13275.patch, HBASE-13275.patch
> According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is
the list of configs to enable authorization in HBase:
> {code}
> <property>
>      <name>hbase.security.authorization</name>
>      <value>true</value>
> </property>
> <property>
>      <name>hbase.coprocessor.master.classes</name>
>      <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>      <name>hbase.coprocessor.region.classes</name>
>      <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> {code}
> We wanted to then disable authorization but simply setting hbase.security.authorization
to false did not disable the authorization

This message was sent by Atlassian JIRA

View raw message