[
https://issues.apache.org/jira/browse/HBASE-11077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Purtell updated HBASE-11077:
-----------------------------------
Release Note:
Prior to 0.98.0 if a user was not granted access to a column family or partial
access (qualifier grants), then the AccessController would immediately throw
back an AccessDeniedException. This behavior was changed in 0.98.0 to allow
cell level ACLs to grant exceptional access. The user will no longer see an
exception; instead the scanner will return result sets only including cells
which grant exceptional access. If no such cell level grants are made, then the
scanner will return the empty result set.
This change introduces a configuration setting which restores the pre-0.98.0
behavior. It can be set in the site file for global effect, or per table using
HTableDescriptor#setConfiguration. This setting is
AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT
("hbase.security.access.early_out"), a boolean. Set to "true" for backwards
compatible behavior. As a consequence if there are no grants at the CF level
then an AccessDeniedException will be thrown immediately, and cell ACLs will be
ignored, unless the cell-first ACL evaluation strategy is used (toggled via
Query#setACLStrategy).
This change also repairs a defect related to audit logging. In all cases,
compatible behavior or not, indications of successful or failed access attempts
will be logged.
was:
Prior to 0.98.0 if a user was not granted access to a column family or partial
access (qualifier grants), then the AccessController would immediately throw
back an AccessDeniedException. This behavior was changed in 0.98.0 to allow
cell level ACLs to grant exceptional access. The user will no longer see an
exception; instead the scanner will return result sets only including cells
which grant exceptional access. If no such cell level grants are made, then the
scanner will return the empty result set.
This change introduces a configuration setting which restores the pre-0.98.0
behavior. It can be set in the site file for global effect, or per table using
HTableDescriptor#setConfiguration. This setting is
AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT
("hbase.security.access.early_out"), a boolean. Set to "true" for backwards
compatible behavior. As a consequence if there are no grants at the CF level
then cell ACLs will be ignored unless the cell-first ACL evaluation strategy is
used (toggled via Query#setACLStrategy).
> [AccessController] Restore compatible early-out access denial
> -------------------------------------------------------------
>
> Key: HBASE-11077
> URL: https://issues.apache.org/jira/browse/HBASE-11077
> Project: HBase
> Issue Type: Sub-task
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Priority: Critical
> Fix For: 0.99.0, 0.98.2
>
> Attachments: HBASE-11077.patch, HBASE-11077.patch, HBASE-11077.patch,
> HBASE-11077.patch
>
>
> See parent for the whole story.
> For 0.98, to start, just put back the early out that was removed in 0.98.0
> and allow it to be overridden with a table attribute.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
