[
https://issues.apache.org/jira/browse/PHOENIX-4529?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16356297#comment-16356297
]
Thomas D'Silva commented on PHOENIX-4529:
-----------------------------------------
[~jamestaylor]
I spoke to [~apurtell] offline. I think we should just wait for HBASE-19842,
after which we only have to set the acl tag on the cells of the sequence row
when they are created. This acl tag is stored in the hbase acl table. When a
user is granted (or revoked) access to a schema or table, we also update this
acl tag. We won't have to rewrite all cells of all sequences in the schema.
> Users should only require RX access to SYSTEM.SEQUENCE table
> ------------------------------------------------------------
>
> Key: PHOENIX-4529
> URL: https://issues.apache.org/jira/browse/PHOENIX-4529
> Project: Phoenix
> Issue Type: Bug
> Reporter: Karan Mehta
> Assignee: Thomas D'Silva
> Priority: Major
>
> Currently, users don't need to have Write access to {{SYSTEM.CATALOG}} and
> other tables, since the code is run on the server side as login user. However
> for {{SYSTEM.SEQUENCE}}, write permission is still needed. This is a
> potential security concern, since it allows anyone to modify the sequences
> created by others. This JIRA is to discuss how we can improve the security of
> this table.
> Potential options include
> 1. Usage of HBase Cell Level Permissions (works only with HFile version 3 and
> above)
> 2. AccessControl at Phoenix Layer by addition of user column in the
> {{SYSTEM.SEQUENCE}} table and use it for access control (Can be error-prone
> for complex scenarios like sequence sharing)
> Please advice.
> [~tdsilva] [~jamestaylor] [~apurtell] [~an...@apache.org] [~elserj]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
