hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-18659) Use HDFS ACL to give user the ability to read snapshot directly on HDFS
Date Wed, 23 Aug 2017 14:29:00 GMT

    [ https://issues.apache.org/jira/browse/HBASE-18659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16138421#comment-16138421
] 

Wei-Chiu Chuang commented on HBASE-18659:
-----------------------------------------

Sounds like a pretty good proposal, and a valid use case of HDFS ACLs.

Things can get more complicated when you want to synchronize permissions between different
HFiles. You would also want to make sure the permission exposed to HBase is in sync with other
services, such as Hive or Impala, or MapReduce.

Apache Sentry is a project where it provides a centralized authorization management for these
services. From a HDFS perspective, the authorization of a file is delegated to Sentry, and
Sentry returns a HDFS ACL that is equivalent to Hive table permissions (RBAC).

> Use HDFS ACL to give user the ability to read snapshot directly on HDFS
> -----------------------------------------------------------------------
>
>                 Key: HBASE-18659
>                 URL: https://issues.apache.org/jira/browse/HBASE-18659
>             Project: HBase
>          Issue Type: New Feature
>            Reporter: Duo Zhang
>
> On the dev meetup notes in Shenzhen after HBaseCon Asia, there is a topic about the permission
to read hfiles on HDFS directly.
> {quote}
> For client-side scanner going against hfiles directly; is there a means of being able
to pass the permissions from hbase to hdfs?
> {quote}
> And at Xiaomi we also face the same problem. {{SnapshotScanner}} is much faster and consumes
less resources, but only super use has the ability to read hfile directly on HDFS.
> So here we want to use HDFS ACL to address this problem.
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#ACLs_File_System_API
> The basic idea is to set acl and default on the table directory on HDFS for the users
who have the permission to read the table on HBase.
> Suggestions are welcomed.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message