[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels

Mon, 28 Oct 2013 23:15:19 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13807718#comment-13807718
 ] 

Anoop Sam John commented on HBASE-7663:
---------------------------------------

Visibility Label admin operations
----------------------------------------
Labels can be added to the system using VisibilityClient#addLabels(). Also can 
use add_labels shell command
Only super user (hbase.superuse) have permission to add the labels into the 
system.
A set of labels can be associated for a user using setAuths. 
[VisibilityClient#setAuths()]
Similarly labels can be removed from user auths using clearAuths.
getAuths API can be used to view user auths.
Also there is support for set_auths, clear_auths and get_auths shell commands
Same way as in addLabels only super user have permission for these operations.
When AccessController is ON the permission checks are handled by AC.
Using AC along with Visibility is optional. When AC is not available, 
permission checks are done at VisibilityController level itself.

> [Per-KV security] Visibility labels
> -----------------------------------
>
>                 Key: HBASE-7663
>                 URL: https://issues.apache.org/jira/browse/HBASE-7663
>             Project: HBase
>          Issue Type: Sub-task
>          Components: Coprocessors, security
>    Affects Versions: 0.98.0
>            Reporter: Andrew Purtell
>            Assignee: Anoop Sam John
>         Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, 
> HBASE-7663_V3.patch
>
>
> Implement Accumulo-style visibility labels. Consider the following design 
> principles:
> - Coprocessor based implementation
> - Minimal to no changes to core code
> - Use KeyValue tags (HBASE-7448) to carry labels
> - Use OperationWithAttributes# {get,set}Attribute for handling visibility 
> labels in the API
> - Implement a new filter for evaluating visibility labels as KVs are streamed 
> through.
> This approach would be consistent in deployment and API details with other 
> per-KV security work, supporting environments where they might be both be 
> employed, even stacked on some tables.
> See the parent issue for more discussion.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to