[
https://issues.apache.org/jira/browse/RANGER-2724?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajeshbabu Chintaguntla updated RANGER-2724:
--------------------------------------------
Attachment: RANGER-2724.patch
> Support EXECUTE permission in HBase Authorisation
> -------------------------------------------------
>
> Key: RANGER-2724
> URL: https://issues.apache.org/jira/browse/RANGER-2724
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Reporter: Rajeshbabu Chintaguntla
> Assignee: Rajeshbabu Chintaguntla
> Priority: Major
> Attachments: RANGER-2724.patch
>
>
> HBase Authorisation supports execute permission along with read,write,create
> and admin.
> https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cdh_sg_hbase_authorization.html#
> # Read (R) - can read data at the given scope
> # Write (W) - can write data at the given scope
> # Execute (X) - can execute coprocessor endpoints at the given scope
> # Create (C) - can create tables or drop tables (even those they did not
> create) at the given scope
> # Admin (A) - can perform cluster operations such as balancing the cluster or
> assigning regions at the given scope
> In the HBase we can define the endpoint implementations to extend the HBase
> functionality without touching the core. These endpoints can be called in
> table scope.
> Example: Endpoint section in
> https://blogs.apache.org/hbase/entry/coprocessor_introduction
> To run the endpoint implementations users can be authorised with execute
> permissions. There are hooks also coprocessor hooks also supported for this
> endpoint invocations.
> {noformat}
> public Message
> preEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> ctx,
> Service service, String methodName, Message request) throws IOException {
> if (this.shouldCheckExecPermission && !(service instanceof
> AccessControlService)) {
> this.requirePermission(ctx, "invoke(" +
> service.getDescriptorForType().getName() + "." + methodName + ")",
> this.getTableName((RegionCoprocessorEnvironment)ctx.getEnvironment()),
> (byte[])null, (byte[])null, Action.EXEC);
> }
> return request;
> }
> public void
> postEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> ctx,
> Service service, String methodName, Message request, Builder responseBuilder)
> throws IOException {
> }
> {noformat}
> Any way this execute permission is optional but better to have in the Ranger
> mainly in case of Phoenix we do use most of the coprocessor endpoints to
> tackle with meta data for tables/resources to be written to system tables. So
> It would be helpful to have it.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
