[jira] [Commented] (PHOENIX-672) Add GRANT and REVOKE commands using HBase AccessController

Wed, 08 Nov 2017 16:07:24 -0800 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244968#comment-16244968
 ] 

Karan Mehta commented on PHOENIX-672:
-------------------------------------

The SQL syntax for REVOKE permissions supports revoking individual permissions 
based on conditions. For example, if a user has RW access on a table, we can 
write a SQL query to revoke just read access on the table. However HBase Revoke 
API in {{AccessControlClient}} doesn't provide that functionality out of box. 
It takes in permissions as an input parameter, however it doesn't use it. The 
revoke option works by deleting the specific row and column qualifier from 
hbase:acl table.The HBase SHELL command for revoke also doesn't take 
permissions as input.

At this point we have two choices,
1. We can be in sync with how HBase handles permissions and the SQL query for 
REVOKE will not include permissions. We need to document this behaviour. This 
is similar to how GRANT behavior is defined.
2. Follow the SQL syntax. This would require us to read the hbase:acl table to 
get the current permissions, determine the diff and remove the permissions 
provided by user. 

I would personally prefer option 1 since it reduces complexity and helps to 
keep in sync with how HBase works. We also need to add an option for users to 
view permissions as well, may be carried out as a part of separate JIRA.
Please advice. [~jamestaylor] [~apurtell] [~an...@apache.org] [~elserj]

> Add GRANT and REVOKE commands using HBase AccessController
> ----------------------------------------------------------
>
>                 Key: PHOENIX-672
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-672
>             Project: Phoenix
>          Issue Type: Task
>            Reporter: James Taylor
>            Assignee: Karan Mehta
>              Labels: namespaces, security
>             Fix For: 4.14.0
>
>
> In HBase 0.98, cell-level security will be available. Take a look at 
> [this](https://communities.intel.com/community/datastack/blog/2013/10/29/hbase-cell-security)
>  excellent blog post by @apurtell. Once Phoenix works on 0.96, we should add 
> support for security to our SQL grammar.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to