hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Hughes <jhug...@ccri.com>
Subject Re: Cell-level security with Coprocessors
Date Mon, 09 Apr 2018 20:51:07 GMT
Hi Anoop,

Here's a ticket for the discussion: 
https://issues.apache.org/jira/browse/HBASE-20374.

I found what you are mentioning, and I was able to integrate my custom 
coprocessor in GeoMesa by calling out to 
rs.getCoprocessorHost.preScannerOpen(scan) in order to enable the 
VisibilityController to insert its filters...

To be honest, this is definitely a corner case.  I think the fix might 
be to have the Region.getScanner implementation (2) to call out to any 
other Coprocessors to intercept as they are designed to.

Cheers,

Jim

1. 
https://github.com/locationtech/geomesa/blob/master/geomesa-hbase/geomesa-hbase-datastore/src/main/scala/org/locationtech/geomesa/hbase/coprocessor/GeoMesaCoprocessor.scala#L65
2. 
https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegion.java#L2783-L2829

On 2018-04-09 06:49, Anoop John wrote:
> Hi Jim
>                 Just taking your eg: Use cell level labels along with
> AggregationClient - Tt will NOT work.  The reason is the Aggregation
> impl for the server side will create scanner directly over the Region.
> As you know, the cell level security features work with the help of a
> co processor and it expects the CP to be informed while opening of
> scanner.   But the CP contact while opening the scanner is one layer
> above the Region level (ie at RSRpcServices).     So when the
> Aggregation service impl is opening the scanner, the visibility
> related CP will not get into pic.    If that was not the case, the
> rest of the things would have been just fine for ur need.  Mind
> opening an issue and we discuss under that for the possible fixes?
> 
> -Anoop-
> 
> On Fri, Mar 30, 2018 at 8:57 PM, Jim Hughes <jhughes@ccri.com> wrote:
>> Hi all,
>> 
>> I'm interested in combining an HBase Coprocessor with cell level 
>> security.
>> As a quick example, suppose one wanted to use the ColumnAggregation
>> Processor with cells with different authorizations.  Different users 
>> should
>> be able to scan and see the sum of the entries that they'd normally be 
>> able
>> to scan.
>> 
>> From the first few hours of looking, it appears that Coprocessors call 
>> out
>> to the RegionServer's getScanner method which does not apply any 
>> security by
>> default.
>> 
>> Have others had success combining custom coprocessors with cell-level
>> security?  That is, are there any pointers for getting started?
>> 
>> Cheers,
>> 
>> Jim
>> 

Mime
View raw message