phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karan Mehta (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-672) Add GRANT and REVOKE commands using HBase AccessController
Date Thu, 09 Nov 2017 00:07:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244968#comment-16244968
] 

Karan Mehta commented on PHOENIX-672:
-------------------------------------

The SQL syntax for REVOKE permissions supports revoking individual permissions based on conditions.
For example, if a user has RW access on a table, we can write a SQL query to revoke just read
access on the table. However HBase Revoke API in {{AccessControlClient}} doesn't provide that
functionality out of box. It takes in permissions as an input parameter, however it doesn't
use it. The revoke option works by deleting the specific row and column qualifier from hbase:acl
table.The HBase SHELL command for revoke also doesn't take permissions as input.

At this point we have two choices,
1. We can be in sync with how HBase handles permissions and the SQL query for REVOKE will
not include permissions. We need to document this behaviour. This is similar to how GRANT
behavior is defined.
2. Follow the SQL syntax. This would require us to read the hbase:acl table to get the current
permissions, determine the diff and remove the permissions provided by user. 

I would personally prefer option 1 since it reduces complexity and helps to keep in sync with
how HBase works. We also need to add an option for users to view permissions as well, may
be carried out as a part of separate JIRA.
Please advice. [~jamestaylor] [~apurtell] [~ankit@apache.org] [~elserj]

> Add GRANT and REVOKE commands using HBase AccessController
> ----------------------------------------------------------
>
>                 Key: PHOENIX-672
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-672
>             Project: Phoenix
>          Issue Type: Task
>            Reporter: James Taylor
>            Assignee: Karan Mehta
>              Labels: namespaces, security
>             Fix For: 4.14.0
>
>
> In HBase 0.98, cell-level security will be available. Take a look at [this](https://communities.intel.com/community/datastack/blog/2013/10/29/hbase-cell-security)
excellent blog post by @apurtell. Once Phoenix works on 0.96, we should add support for security
to our SQL grammar.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message