What about extracting those infos from HBase's audit logs? Retrieving all ACLs sounds hard if cell level ACLs is included, otherwise is feasible.
But from system security perspective, exposing all ACLs is not a secure behavior, though we can limit the api level to (Global|Namespace|Table|).Admin permission only. -------------------------- Best regards, R.C ________________________________________ From: Lars Francke <lars.fran...@gmail.com> Sent: 28 November 2018 03:03 To: dev@hbase.apache.org Subject: Expose an API to get all ACLs Hi, I have a use-case for a customer who's looking to build an audit tool. This audit tool should build a report of all authorizations across various products. HBase is one of them. Unfortunately in HBase it's not currently possible to list all ACLs without going directly to the _hbase:acl_ table (unless I'm missing something, which would be great). I see that the AccessControlLists class has a loadAll method but it's not exposed anywhere. Are there any objections in adding a method to retrieve all ACLs across all tables etc.? I'm not yet 100% sure on the permissions that should be required to do this. Any opinions? Global + Access or something similar? Cheers, Lars
