phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas D'Silva (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-4529) Users should only require RX access to SYSTEM.SEQUENCE table
Date Thu, 08 Feb 2018 00:49:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-4529?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16356297#comment-16356297
] 

Thomas D'Silva commented on PHOENIX-4529:
-----------------------------------------

[~jamestaylor] 

I spoke to [~apurtell] offline. I think we should just wait for  HBASE-19842, after which
we only have to set the acl tag on the cells of the sequence row when they are created. This
acl tag is stored in the hbase acl table. When a user is granted (or revoked) access to a
schema or table, we also update this acl tag. We won't have to rewrite all cells of all sequences
in the schema. 



> Users should only require RX access to SYSTEM.SEQUENCE table
> ------------------------------------------------------------
>
>                 Key: PHOENIX-4529
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4529
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Karan Mehta
>            Assignee: Thomas D'Silva
>            Priority: Major
>
> Currently, users don't need to have Write access to {{SYSTEM.CATALOG}} and other tables,
since the code is run on the server side as login user. However for {{SYSTEM.SEQUENCE}}, write
permission is still needed. This is a potential security concern, since it allows anyone to
modify the sequences created by others. This JIRA is to discuss how we can improve the security
of this table. 
> Potential options include
> 1. Usage of HBase Cell Level Permissions (works only with HFile version 3 and above)
> 2. AccessControl at Phoenix Layer by addition of user column in the {{SYSTEM.SEQUENCE}}
table and use it for access control (Can be error-prone for complex scenarios like sequence
sharing)
> Please advice.
> [~tdsilva] [~jamestaylor] [~apurtell] [~ankit@apache.org] [~elserj]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message