[
https://issues.apache.org/jira/browse/HBASE-10326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869711#comment-13869711
]
Andrew Purtell commented on HBASE-10326:
----------------------------------------
bq. Instead can use AccessControlClient#grant ? This code is repeated in tests..
Or use the new grant/revoke methods in SecureTestUtils methods for granting,
which also insures the AC has propagated the grant to all caches first, to
avoid racing tests.
Are the changes to TestVisibilityLabels needed? The test runs under the
superuser implicitly right? There is no functional change though, would be fine
to keep them.
What do the new tests in TestVisibilityLabelsWithACL do? Comment, please.
> Super user should be able scan all the cells irrespective of the visibility
> labels
> ----------------------------------------------------------------------------------
>
> Key: HBASE-10326
> URL: https://issues.apache.org/jira/browse/HBASE-10326
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.98.0
> Reporter: ramkrishna.s.vasudevan
> Assignee: ramkrishna.s.vasudevan
> Priority: Critical
> Labels: security
> Fix For: 0.98.0, 0.99.0
>
> Attachments: HBASE-10326.patch, HBASE-10326_1.patch
>
>
> This issue is in lieu with HBASE-10322. In case of export tool, when the
> cells with visibility labels are exported using a super user we should be
> able to export the data. But with the current implementation, the super user
> would also be able to view cells that has visibility labels associated with
> the superuser. The idea of HBASE-10322 is to strip out tags based on user
> and if so this change is necessary for export tool to work with Visibility.
> ACL already has a concept of global admins.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
