[
https://issues.apache.org/jira/browse/HBASE-10326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869408#comment-13869408
]
Anoop Sam John commented on HBASE-10326:
----------------------------------------
Patch looks good Ram.
Pls correct the white spaces introduced after checkIfScanOrGetFromSuperUser
private method.
{code}
+ HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+ try {
+ BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
+ AccessControlService.BlockingInterface protocol = AccessControlService
+ .newBlockingStub(service);
+ ProtobufUtil.grant(protocol, NORMAL_USER2.getShortName(), tableName,
null, null,
+ Permission.Action.READ);
+ } finally {
+ acl.close();
+ }
{code}
Instead can use AccessControlClient#grant ? This code is repeated in tests..
Thanks for the patch.
> Super user should be able scan all the cells irrespective of the visibility
> labels
> ----------------------------------------------------------------------------------
>
> Key: HBASE-10326
> URL: https://issues.apache.org/jira/browse/HBASE-10326
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.98.0
> Reporter: ramkrishna.s.vasudevan
> Assignee: ramkrishna.s.vasudevan
> Priority: Critical
> Labels: security
> Fix For: 0.98.0, 0.99.0
>
> Attachments: HBASE-10326.patch, HBASE-10326_1.patch
>
>
> This issue is in lieu with HBASE-10322. In case of export tool, when the
> cells with visibility labels are exported using a super user we should be
> able to export the data. But with the current implementation, the super user
> would also be able to view cells that has visibility labels associated with
> the superuser. The idea of HBASE-10322 is to strip out tags based on user
> and if so this change is necessary for export tool to work with Visibility.
> ACL already has a concept of global admins.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
