Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 3B6F3200D41 for ; Wed, 22 Nov 2017 08:11:06 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 39E05160BFD; Wed, 22 Nov 2017 07:11:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 81BB6160BDA for ; Wed, 22 Nov 2017 08:11:05 +0100 (CET) Received: (qmail 3179 invoked by uid 500); 22 Nov 2017 07:11:04 -0000 Mailing-List: contact dev-help@phoenix.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@phoenix.apache.org Delivered-To: mailing list dev@phoenix.apache.org Received: (qmail 3162 invoked by uid 99); 22 Nov 2017 07:11:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Nov 2017 07:11:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id B6CAE1A056C for ; Wed, 22 Nov 2017 07:11:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 80jmCbUL3o9q for ; Wed, 22 Nov 2017 07:11:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id BD6D95FC9D for ; Wed, 22 Nov 2017 07:11:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id E928DE2572 for ; Wed, 22 Nov 2017 07:11:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 5BEDF255AF for ; Wed, 22 Nov 2017 07:11:00 +0000 (UTC) Date: Wed, 22 Nov 2017 07:11:00 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: dev@phoenix.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (PHOENIX-672) Add GRANT and REVOKE commands using HBase AccessController MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 22 Nov 2017 07:11:06 -0000 [ https://issues.apache.org/jira/browse/PHOENIX-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16262074#comment-16262074 ] ASF GitHub Bot commented on PHOENIX-672: ---------------------------------------- Github user ankitsinghal commented on a diff in the pull request: https://github.com/apache/phoenix/pull/283#discussion_r152483142 --- Diff: phoenix-core/src/main/java/org/apache/phoenix/schema/MetaDataClient.java --- @@ -4168,4 +4176,197 @@ public MutationState useSchema(UseSchemaStatement useSchemaStatement) throws SQL } return new MutationState(0, 0, connection); } + + public MutationState grantPermission(GrantStatement grantStatement) throws SQLException { + + StringBuffer grantPermLog = new StringBuffer(); + grantPermLog.append("Grant Permissions requested for user/group: " + grantStatement.getName()); + if (grantStatement.getSchemaName() != null) { + grantPermLog.append(" for Schema: " + grantStatement.getSchemaName()); + } else if (grantStatement.getTableName() != null) { + grantPermLog.append(" for Table: " + grantStatement.getTableName()); + } + grantPermLog.append(" Permissions: " + Arrays.toString(grantStatement.getPermsList())); + logger.info(grantPermLog.toString()); + + HConnection hConnection = connection.getQueryServices().getAdmin().getConnection(); + + try { + if (grantStatement.getSchemaName() != null) { + // SYSTEM.CATALOG doesn't have any entry for "default" HBase namespace, hence we will bypass the check + if(!grantStatement.getSchemaName().equals(QueryConstants.HBASE_DEFAULT_SCHEMA_NAME)) { + FromCompiler.getResolverForSchema(grantStatement.getSchemaName(), connection); + } + grantPermissionsToSchema(hConnection, grantStatement); + + } else if (grantStatement.getTableName() != null) { + PTable inputTable = PhoenixRuntime.getTable(connection, + SchemaUtil.normalizeFullTableName(grantStatement.getTableName().toString())); + if (!(PTableType.TABLE.equals(inputTable.getType()) || PTableType.SYSTEM.equals(inputTable.getType()))) { + throw new AccessDeniedException("Cannot GRANT permissions on INDEX TABLES or VIEWS"); + } + grantPermissionsToTables(hConnection, grantStatement, inputTable); + + } else { + grantPermissionsToUser(hConnection, grantStatement); --- End diff -- If for some reason grant doesn't succeed for all the tables. so do we have plan to give construct like "SHOW GRANTS" or something to the user to know what all grants are still there for the user or on the table. > Add GRANT and REVOKE commands using HBase AccessController > ---------------------------------------------------------- > > Key: PHOENIX-672 > URL: https://issues.apache.org/jira/browse/PHOENIX-672 > Project: Phoenix > Issue Type: Task > Reporter: James Taylor > Assignee: Karan Mehta > Labels: namespaces, security > Fix For: 4.14.0 > > Attachments: PHOENIX-672.001.patch > > > In HBase 0.98, cell-level security will be available. Take a look at [this](https://communities.intel.com/community/datastack/blog/2013/10/29/hbase-cell-security) excellent blog post by @apurtell. Once Phoenix works on 0.96, we should add support for security to our SQL grammar. -- This message was sent by Atlassian JIRA (v6.4.14#64029)