[jira] [Updated] (HBASE-7662) [Per-KV security] Store and apply per cell ACLs into/from KeyValue tags

Thu, 17 Oct 2013 19:24:34 -0700 

     [ 
https://issues.apache.org/jira/browse/HBASE-7662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Purtell updated HBASE-7662:
----------------------------------

    Attachment: 7662.patch

This is an improved version of the HBASE-6222 per cell ACL implementation, 
reworked for cell tags. 

A couple of significant differences:
- A new coprocessor hook for rewriting the KVs calculated for increment and 
append operations. We use this to carry ACLs from earlier puts forward during 
an append or increment. ACLs are NOT carried forward if the increment or append 
operation itself includes a new ACL to apply.
- An operation attribute for switching between cell ACL evaluation strategies, 
a boolean. 
-- If FALSE (default) we first check CF or table level perms, only then then 
wrap the scanner if they fail to authorize at those levels. The filter then 
does not check table and CF perms while iterating cells, only looks at ACLs on 
the cells. This will perform well for use cases where users normally have CF 
level access but their perms may be limited on a per cell basis because we will 
usually early out.
-- If TRUE then we wrap the scanner unconditionally and the scanner will first 
look at ACLs on the cells. Only after that will it consider table or CF perms. 
This is useful for use cases where users may not normally have access but will 
be granted special additional perms on a per cell basis.

> [Per-KV security] Store and apply per cell ACLs into/from KeyValue tags
> -----------------------------------------------------------------------
>
>                 Key: HBASE-7662
>                 URL: https://issues.apache.org/jira/browse/HBASE-7662
>             Project: HBase
>          Issue Type: Sub-task
>          Components: Coprocessors, security
>    Affects Versions: 0.98.0
>            Reporter: Andrew Purtell
>            Assignee: Andrew Purtell
>         Attachments: 7662.patch
>
>
> We can improve the performance of per-cell authorization if the read of the 
> cell ACL, if any, is combined with the sequential read of the cell data 
> already in progress. When tags are inlined with KVs in block encoding (see 
> HBASE-7448, and more generally HBASE-7233), we can use them to carry cell 
> ACLs instead of using out-of-line storage (HBASE-7661) for that purpose.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to