hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ChiaPing Tsai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16071) The VisibilityLabelFilter and AccessControlFilter should not count the "delete cell"
Date Wed, 26 Oct 2016 08:44:58 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16071?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15607878#comment-15607878
] 

ChiaPing Tsai commented on HBASE-16071:
---------------------------------------

{quote}
May be we need to consider
version = Math.min(requestedMaxVersion , hcd.getMaxVersions());
{quote}
The AccessControlFilter's max version should be equal with ScanWildcardColumnTracker’s max
version. I mean doing this
{noformat}
    int maxVersions = scan.isRaw() ? scan.getMaxVersions()
        : Math.min(scan.getMaxVersions(), scanInfo.getMaxVersions());
{noformat}
If AccessControlFilter's max version is bigger than ScanWildcardColumnTracker’s max version,
AccessControlFilter will authorize the unnecessary cell. Because the Filter#filterKeyValue(cell)
is getting called before calling ColumnTracker#checkVersions.
{code:title=UserScanQueryMatcher.java|borderStyle=solid}

    ReturnCode filterResponse = ReturnCode.SKIP;
    // STEP 2: Yes, the column is part of the requested columns. Check if filter is present
    if (filter != null) {
      // STEP 3: Filter the key value and return if it filters out
      filterResponse = filter.filterKeyValue(cell);
      switch (filterResponse) {
        case SKIP:
          return MatchCode.SKIP;
        case NEXT_COL:
          return columns.getNextRowOrNextColumn(cell);
        case NEXT_ROW:
          stickyNextRow = true;
          return MatchCode.SEEK_NEXT_ROW;
        case SEEK_NEXT_USING_HINT:
          return MatchCode.SEEK_NEXT_USING_HINT;
        default:
          // It means it is either include or include and seek next
          break;
      }
    }
    colChecker = columns.checkVersions(cell, timestamp, typeByte, false);

{code}
If AccessControlFilter's max version is smaller than ScanWildcardColumnTracker’s max version,
AccessControlFilter will loss some cells.

bq. But Filter#filterCell is getting called before applying deleted logic, expiry logic etc.
(If the Filter#filterCell is the Filter#filterKeyValue)
The RawScanQueryMatcher#match(cell) is shown below.
{code:title=RawScanQueryMatcher.java|borderStyle=solid}
  @Override
  public MatchCode match(Cell cell) throws IOException {
    if (filter != null && filter.filterAllRemaining()) {
      return MatchCode.DONE_SCAN;
    }
    MatchCode returnCode = preCheck(cell);
    if (returnCode != null) {
      return returnCode;
    }
    // For a raw scan, we do not filter out any cells by delete marker, and delete marker
is also
    // returned, so we do not need to track delete.
    return matchColumn(cell);
  }
{code}
The expiry logic is implemented in ScanQueryMatcher#preCheck. So Filter#filterKeyValue is
getting called “after” applying expiry logic. And the RawScanQueryMatcher doesn’t apply
any deleted logic. So it seems to me that the deleted logic and expiry logic are not problem.

Sorry if I made any mistake, and thanks for your feedback.

> The VisibilityLabelFilter and AccessControlFilter should not count the "delete cell"
> ------------------------------------------------------------------------------------
>
>                 Key: HBASE-16071
>                 URL: https://issues.apache.org/jira/browse/HBASE-16071
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 2.0.0
>            Reporter: ChiaPing Tsai
>            Assignee: ChiaPing Tsai
>            Priority: Minor
>             Fix For: 2.0.0, 1.4.0, 1.3.1
>
>         Attachments: HBASE-16071-v1.patch, HBASE-16071-v2.patch, HBASE-16071-v3.patch
>
>
> The VisibilityLabelFilter will see and count the "delete cell" if the scan.isRaw() returns
true, so the (put) cell will be skipped if it has lower version than "delete cell"
> The critical code is shown below:
> {code:title=VisibilityLabelFilter.java|borderStyle=solid}
>   public ReturnCode filterKeyValue(Cell cell) throws IOException {
>     if (curFamily.getBytes() == null
>         || !(CellUtil.matchingFamily(cell, curFamily.getBytes(), curFamily.getOffset(),
>             curFamily.getLength()))) {
>       curFamily.set(cell.getFamilyArray(), cell.getFamilyOffset(), cell.getFamilyLength());
>       // For this family, all the columns can have max of curFamilyMaxVersions versions.
No need to
>       // consider the older versions for visibility label check.
>       // Ideally this should have been done at a lower layer by HBase (?)
>       curFamilyMaxVersions = cfVsMaxVersions.get(curFamily);
>       // Family is changed. Just unset curQualifier.
>       curQualifier.unset();
>     }
>     if (curQualifier.getBytes() == null
>         || !(CellUtil.matchingQualifier(cell, curQualifier.getBytes(), curQualifier.getOffset(),
>             curQualifier.getLength()))) {
>       curQualifier.set(cell.getQualifierArray(), cell.getQualifierOffset(),
>           cell.getQualifierLength());
>       curQualMetVersions = 0;
>     }
>     curQualMetVersions++;
>     if (curQualMetVersions > curFamilyMaxVersions) {
>       return ReturnCode.SKIP;
>     }
>     return this.expEvaluator.evaluate(cell) ? ReturnCode.INCLUDE : ReturnCode.SKIP;
>   }
> {code}
> [VisibilityLabelFilter.java|https://github.com/apache/hbase/blob/d7a4499dfc8b3936a0eca867589fc2b23b597866/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelFilter.java]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message