After some more testing in secure deployment of 0.98, I found some issue with cell visibility labels. Namely: HBASE-10863 Scan doesn't return rows for user who has authorization by visibility label in secure deployment HBASE-10857 clear_auths command gives exception on existing label and user in secure deployment
Underneath, they are actually caused by one defect: DefaultScanLabelGenerator#dropLabelsNotInUserAuths() would erroneously drop labels due to mismatching username. The fix, attached to HBASE-10863, switches to calling user.getShortName() which is consistent with AccessController in working with Kerberos principals. >From users' point of view, it would be expected that cell visibility labels work in secure deployment. I want to solicit opinion on whether RC3 is needed. If RC3 comes out, I would expect a quick vote. Cheers On Thu, Mar 27, 2014 at 4:05 PM, Ted Yu <[email protected]> wrote: > +1 > > - checked documentation and tarball > > - Ran unit test suite which passed > > - Ran in local and distributed mode > - checked the UI pages > > > On Thu, Mar 27, 2014 at 9:27 AM, Andrew Purtell <[email protected]>wrote: > >> +1 >> >> Unit test suite passes 100% 25 times out of 25 runs. >> >> Cluster testing looks good with LoadTestTool, YCSB, ITI, and ITIBLL. >> >> An informal performance test on a small cluster comparing 0.98.0 and >> 0.98.1 >> indicates no serious perf regressions. See email to dev@ titled >> "Comparsion >> between 0.98.0 and 0.98.1RC1 using YCSB". The results are still relevant >> to >> this RC. >> >> Some of the integration tests have issues when run in local mode but this >> test only problem can be fixed later. >> >> >> On Wed, Mar 26, 2014 at 12:25 PM, Andrew Purtell <[email protected] >> >wrote: >> >> > The 3rd HBase 0.98.1 release candidate (RC2) is available for download >> at >> > http://people.apache.org/~apurtell/0.98.1RC2/ and Maven artifacts are >> > also available in the temporary repository >> > https://repository.apache.org/content/repositories/orgapachehbase-1014 >> > >> > Signed with my code signing key D5365CCD. >> > >> > The issues resolved in this release can be found here: >> > >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310753&version=12325664 >> > >> > >> > This is the last RC expected for this version unless we find a new >> > blocker. >> > >> > Please try out the candidate and vote +1/-1 by midnight Pacific Time >> > (00:00 -0800 GMT) on March 31 on whether or not we should release this >> as >> > 0.98.1. >> > >> > -- >> > Best regards, >> > >> > - Andy >> > >> > Problems worthy of attack prove their worth by hitting back. - Piet Hein >> > (via Tom White) >> > >> >> >> >> -- >> Best regards, >> >> - Andy >> >> Problems worthy of attack prove their worth by hitting back. - Piet Hein >> (via Tom White) >> > >
