hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-18659) Use HDFS ACL to give user the ability to read snapshot directly on HDFS
Date Wed, 23 Aug 2017 19:05:00 GMT

    [ https://issues.apache.org/jira/browse/HBASE-18659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16138891#comment-16138891

Andrew Purtell commented on HBASE-18659:

You can't do this only at the table level. ACLs can be applied at namespace, table,  column
family levels, and also *per-cell*. 

Setting aside cell ACLs as a special case, the AccessController has logic that walks the hierarchy
namespace -> table -> CF when doing permissions checks. HDFS doesn't do this. Therefore
all HDFS level ACLs must operate at the smallest granularity, which is CF. 

Setting HDFS level permissions on the CF which do not factor into account per cell ACLs will
break access to those cells granted special access. That said, as an incompatible change for
HBase 3, we can remove cell ACLs. Or, it could be adequate to just document that scanning
snapshots directly on HDFS is incompatible with cell ACLs, so cell ACLs would be ignored.

> Use HDFS ACL to give user the ability to read snapshot directly on HDFS
> -----------------------------------------------------------------------
>                 Key: HBASE-18659
>                 URL: https://issues.apache.org/jira/browse/HBASE-18659
>             Project: HBase
>          Issue Type: New Feature
>            Reporter: Duo Zhang
> On the dev meetup notes in Shenzhen after HBaseCon Asia, there is a topic about the permission
to read hfiles on HDFS directly.
> {quote}
> For client-side scanner going against hfiles directly; is there a means of being able
to pass the permissions from hbase to hdfs?
> {quote}
> And at Xiaomi we also face the same problem. {{SnapshotScanner}} is much faster and consumes
less resources, but only super use has the ability to read hfile directly on HDFS.
> So here we want to use HDFS ACL to address this problem.
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#ACLs_File_System_API
> The basic idea is to set acl and default on the table directory on HDFS for the users
who have the permission to read the table on HBase.
> Suggestions are welcomed.

This message was sent by Atlassian JIRA

View raw message