hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enis Soztutar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16700) Allow for coprocessor whitelisting
Date Mon, 14 Nov 2016 23:44:58 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15665402#comment-15665402

Enis Soztutar commented on HBASE-16700:

bq. Here I want to allow for whitelisting coprocessors, but as once can always be sneaky (or
ignorant) and use someone else's class name in a multi-tenant environment, the only permissioning
point I could get a handle on was the filesystem. 
I was asking whether we want to do class name white listing on top of path white listing.
It should be fine for now. 

bq. This ensures one can now use file:/// for whitelisting but no hdfs:/// paths to achieve
what you have asked for Phoenix (or any local coprocessors).
I was more thinking of only allowing coprocessors already in the classpath. Phoenix coprocessors
are not defined with a path, assuming that they are already under the hbase lib dir. So, not
even random stuff from the local file system. If you configure the allowed path to be a non-existing
path for example, you can achieve the affect, but it would be better if there is an easier
way. Something like opposite of wildcard which matches no string so that user cannot ever
dynamically load any coprocessor class. 

Can you please also add some doc / javadoc on how to configure this (maybe a couple of examples).

> Allow for coprocessor whitelisting
> ----------------------------------
>                 Key: HBASE-16700
>                 URL: https://issues.apache.org/jira/browse/HBASE-16700
>             Project: HBase
>          Issue Type: Improvement
>          Components: Coprocessors
>            Reporter: Clay B.
>            Priority: Minor
>              Labels: security
>         Attachments: HBASE-16700.000.patch, HBASE-16700.001.patch, HBASE-16700.002.patch,
HBASE-16700.003.patch, HBASE-16700.004.patch, HBASE-16700.005.patch
> Today one can turn off all non-system coprocessors with {{hbase.coprocessor.user.enabled}}
however, this disables very useful things like Apache Phoenix's coprocessors. Some tenants
of a multi-user HBase may also need to run bespoke coprocessors. But as an operator I would
not want wanton coprocessor usage. Ideally, one could do one of two things:
> * Allow coprocessors defined in {{hbase-site.xml}} -- this can only be administratively
changed in most cases
> * Allow coprocessors from table descriptors but only if the coprocessor is whitelisted

This message was sent by Atlassian JIRA

View raw message