[
https://issues.apache.org/jira/browse/HBASE-11078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13985937#comment-13985937
]
Andrew Purtell edited comment on HBASE-11078 at 4/30/14 7:12 PM:
-----------------------------------------------------------------
{quote}
Consider a new permission with the semantics "being able to read only granted
cells", perhaps called READ_VISIBLE.
Maybe consider a symmetric new permission for writes.
{quote}
Just to clarify, we can claim the current code provides this semantic. With the
default cell ACL evaluation strategy, in the absence of a CF or CF:qual grant -
let's call this "CF level grant" - then the user will not be authorized to do
anything unless the cell has an ACL that grants appropriate permissions. (Note
that with cell-first both a cell ACL must exist and authorize and CF level
permissions must also authorize.) Or, with the cell-first ACL evaluation
strategy, then regardless of CF level grant the cell must have a permission
authorizing the action. The parent talks about having an option for an
alternative to this behavior. Let's call that READ_INVISIBLE. Perhaps that is a
poor name. Anyway, what would this look like? This, if granted at the CF or
table level, would allow the user to see any cell without an ACL? That is
equivalent to granting READ permission at the CF or table level today. Or maybe
the distinction is pushed down such that it makes a behavioral change with
respect to the cell-first ACL strategy, in which case it could be cells without
any ACLs should grant by default instead of deny.
bq. The lack of default READ perm should prevent users from launching scanners.
We don't have this yet.
was (Author: apurtell):
{quote}
Consider a new permission with the semantics "being able to read only granted
cells", perhaps called READ_VISIBLE.
Maybe consider a symmetric new permission for writes.
{quote}
Just to clarify, we can claim the current code provides this semantic. With the
default cell ACL evaluation strategy, in the absence of a CF or CF:qual grant -
let's call this "CF level grant" - then the user will not be authorized to do
anything unless the cell has an ACL that grants appropriate permissions. Or,
with the cell-first ACL evaluation strategy, then regardless of CF level grant
the cell must have a permission authorizing the action. The parent talks about
having an option for an alternative to this behavior. Let's call that
READ_INVISIBLE. Perhaps that is a poor name. Anyway, what would this look like?
This, if granted at the CF or table level, would allow the user to see any cell
without an ACL? That is equivalent to granting READ permission at the CF or
table level today. Or maybe the distinction is pushed down such that it makes a
behavioral change with respect to the cell-first ACL strategy, in which case it
could be cells without any ACLs should grant by default instead of deny.
bq. The lack of default READ perm should prevent users from launching scanners.
We don't have this yet.
> [AccessController] Consider new permission for "read visible"
> -------------------------------------------------------------
>
> Key: HBASE-11078
> URL: https://issues.apache.org/jira/browse/HBASE-11078
> Project: HBase
> Issue Type: Sub-task
> Reporter: Andrew Purtell
> Fix For: 0.99.0
>
>
> See parent for the whole story.
> Consider a new permission with the semantics "being able to read only granted
> cells", perhaps called READ_VISIBLE.
> Maybe consider a symmetric new permission for writes.
> The lack of default READ perm should prevent users from launching scanners.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
