hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ChiaPing Tsai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16071) The VisibilityLabelFilter should not count the "delete cell"
Date Thu, 23 Jun 2016 10:15:16 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16071?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15346218#comment-15346218
] 

ChiaPing Tsai commented on HBASE-16071:
---------------------------------------

The raw scan is useful for troubleshooting or backup. For example, we can log all mutations
to trace the user behavior or restore a table to point in time.
It seems to me that the purpose of raw scan remains unchanged whether the raw scan is ran
with security or not. The raw scan retrieves all delete marker and deleted cells w/o ACL and
visibility. On the other hand, the raw scan ran in the secure HBase retrieves the same cells,
excluding the unpermissible cells.

thanks

> The VisibilityLabelFilter should not count the "delete cell"
> ------------------------------------------------------------
>
>                 Key: HBASE-16071
>                 URL: https://issues.apache.org/jira/browse/HBASE-16071
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 2.0.0
>            Reporter: ChiaPing Tsai
>            Assignee: ChiaPing Tsai
>            Priority: Minor
>             Fix For: 2.0.0, 1.3.0, 1.4.0
>
>         Attachments: HBASE-16071-v1.patch
>
>
> The VisibilityLabelFilter will see and count the "delete cell" if the scan.isRaw() returns
true, so the (put) cell will be skipped if it has lower version than "delete cell"
> The critical code is shown below:
> {code:title=VisibilityLabelFilter.java|borderStyle=solid}
>   public ReturnCode filterKeyValue(Cell cell) throws IOException {
>     if (curFamily.getBytes() == null
>         || !(CellUtil.matchingFamily(cell, curFamily.getBytes(), curFamily.getOffset(),
>             curFamily.getLength()))) {
>       curFamily.set(cell.getFamilyArray(), cell.getFamilyOffset(), cell.getFamilyLength());
>       // For this family, all the columns can have max of curFamilyMaxVersions versions.
No need to
>       // consider the older versions for visibility label check.
>       // Ideally this should have been done at a lower layer by HBase (?)
>       curFamilyMaxVersions = cfVsMaxVersions.get(curFamily);
>       // Family is changed. Just unset curQualifier.
>       curQualifier.unset();
>     }
>     if (curQualifier.getBytes() == null
>         || !(CellUtil.matchingQualifier(cell, curQualifier.getBytes(), curQualifier.getOffset(),
>             curQualifier.getLength()))) {
>       curQualifier.set(cell.getQualifierArray(), cell.getQualifierOffset(),
>           cell.getQualifierLength());
>       curQualMetVersions = 0;
>     }
>     curQualMetVersions++;
>     if (curQualMetVersions > curFamilyMaxVersions) {
>       return ReturnCode.SKIP;
>     }
>     return this.expEvaluator.evaluate(cell) ? ReturnCode.INCLUDE : ReturnCode.SKIP;
>   }
> {code}
> [VisibilityLabelFilter.java|https://github.com/apache/hbase/blob/d7a4499dfc8b3936a0eca867589fc2b23b597866/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelFilter.java]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message