Andrew Purtell wrote:
Last I tried to play with the cell-level security APIs in HBase, it
seemed very obtuse to me. Perhaps I was just dense and didn't find the
right sort of instructions.
I don't think anyone would debate that cell level security in HBase is a
work-in-progress. We'd really welcome your impressions and thoughts on any
use of those APIs if you're interested in providing that feedback. As
someone involved in their implementation, in my opinion they are not meant
to compete directly with Accumulo. They are an HBase-y take on similar
functionality meant to integrate with the HBase code base not rework HBase
to look more like Accumulo internals. So, there will be differences that
affect functionality and performance. Our aim is for these features to work
best when HBase use cases may need cell level security, and also adequately
if you were working with Accumulo for a while but now are in an environment
that uses HBase instead. This latter case needs investigation and
refinement no doubt. Our biggest issue I think is the lack of people with
Accumulo app dev experience in the HBase community (probably,
unsurprisingly).
It's been on my radar to make time to do a more thorough
investigation/comparison :) It's definitely important to manage the
expectations on the maturity of the security system. I think that's
ultimately the biggest point I wanted to make WRT cell-level security.
I think where security is critical, I would trust Accumulo more because
it's been very fleshed out over many years and been a part of the core
model since the start. I felt that HBase is still in a shake-down phase.
(again, I don't want to be argumentative -- it's just my personal
experience to date using the code and watching JIRA issues)
This would depend on what features you need. For example, if you want only
the basic strong authentication and don't need the cell level features,
correct me if I'm wrong Josh but HBase had this quite some time before
Accumulo. Going feature by feature, here's a list in order of maturity:
- Strong authentication for RPC and the auth token provider for MapReduce
- Table and CF level ACL based access control
- Cell level ACL and 'visibility label' based access control
FWIW
Very valid point. I did limit "security" explicitly to the "cell-level
security" which was short-sighted on my part. For example, only in the
last major release of Accumulo can Kerberos-clients authenticate with
Accumulo. As such, the same "new" feature tag should be applied to it (I
wrote it, so I'm sure there are bugs). You're very right there.
CF ACLs are also another good point of reference. Accumulo's ACL support
is limited to namespace and table, no per-family support.
