[jira] [Commented] (PHOENIX-672) Add GRANT and REVOKE commands using HBase AccessController

Wed, 22 Nov 2017 10:39:19 -0800 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16263104#comment-16263104
 ] 

ASF GitHub Bot commented on PHOENIX-672:
----------------------------------------

Github user ankitsinghal commented on a diff in the pull request:

    https://github.com/apache/phoenix/pull/283#discussion_r152648189
  
    --- Diff: 
phoenix-core/src/main/java/org/apache/phoenix/coprocessor/PhoenixAccessController.java
 ---
    @@ -229,17 +227,12 @@ public void 
handleRequireAccessOnDependentTable(String request, String userName,
                         + dependentTable);
                 return;
             }
    -        if (isAutomaticGrantEnabled) {
    --- End diff --
    
    @karanmehta93 
    Strict mode:- It will check permissions for dependent tables as well. For 
eg, If a user who has all access on data table is creating an index, then we 
need to ensure that all others users of data table can also access a new index 
table.
    AutomaticGrant:- It will automatically grant required permissions to 
dependent table users.
    
    @twdsilva , what about the case when a new index is been created?
    Purpose of the automatic grant:- let's say there are three users A and B 
have READ permission on the data-table and user C has RWC permission on 
data-table. so if user B creates an index, then we need to ensure that user A 
and C should also be able to read the index and C should be able to write to 
this Index and can drop the index also. so we will give only the required 
permission to the users of data-table on the index table. So, Access should 
propagate like this. 
    
    user | access data table | access on index table | with Automatic 
grant(access on index table will change like this) | comments
    -- | -- | -- | -- | --
    A | RAX | no access | RX | RX will be given on index table
    B | RX | RWXC | RWXC | no grant will happen
    C | RWXAC | no access | RWCX | read ,write and create will be given so that 
it can read/write to index table and drop as well.
    
    
    



> Add GRANT and REVOKE commands using HBase AccessController
> ----------------------------------------------------------
>
>                 Key: PHOENIX-672
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-672
>             Project: Phoenix
>          Issue Type: Task
>            Reporter: James Taylor
>            Assignee: Karan Mehta
>              Labels: namespaces, security
>             Fix For: 4.14.0
>
>         Attachments: PHOENIX-672.001.patch
>
>
> In HBase 0.98, cell-level security will be available. Take a look at 
> [this](https://communities.intel.com/community/datastack/blog/2013/10/29/hbase-cell-security)
>  excellent blog post by @apurtell. Once Phoenix works on 0.96, we should add 
> support for security to our SQL grammar.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to