[jira] [Comment Edited] (HBASE-11077) [AccessController] Restore compatible early-out access denial

Wed, 30 Apr 2014 14:54:07 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-11077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13986124#comment-13986124
 ] 

Andrew Purtell edited comment on HBASE-11077 at 4/30/14 9:53 PM:
-----------------------------------------------------------------

bq. I think early_out should be set to true by default, so that it is least 
surprise to the admin.

Then we break compatibility from 0.98.1 to 0.98.2, in that default behavior 
prior to 0.98.2 in the 0.98 release line is quite different. And, unfortunately 
cell ACLs would become largely useless, unless the admin research the feature 
and flip the attribute to "false", because when we early out at CF checks to 
retain pre-0.98 behavior the cell ACLs that would otherwise grant exceptional 
access won't be visited, unless using the cell-first strategy, which has the 
drawback of requiring the cell grant access. 

bq. Did you stop pursuing the READ_INVISIBLE priv aproach?

Check out the other subtask and let's figure out what makes sense for 0.99+. 

Edits: Clarity, sorry for the multiple changes.


was (Author: apurtell):
bq. I think early_out should be set to true by default, so that it is least 
surprise to the admin.

Then we break compatibility from 0.98.1 to 0.98.2. And, cell ACLs become 
largely useless, since we early out at CF checks, they can't grant exceptional 
access unless using the cell-first strategy, which has the drawback of 
requiring the cell grant access. 

bq. Did you stop pursuing the READ_INVISIBLE priv aproach?

Check out the other subtask and let's figure out what makes sense for 0.99+. 
It's not a trivial discussion.

> [AccessController] Restore compatible early-out access denial
> -------------------------------------------------------------
>
>                 Key: HBASE-11077
>                 URL: https://issues.apache.org/jira/browse/HBASE-11077
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Andrew Purtell
>            Assignee: Andrew Purtell
>            Priority: Critical
>             Fix For: 0.99.0, 0.98.2
>
>         Attachments: HBASE-11077.patch, HBASE-11077.patch, HBASE-11077.patch, 
> HBASE-11077.patch
>
>
> See parent for the whole story.
> For 0.98, to start, just put back the early out that was removed in 0.98.0 
> and allow it to be overridden with a table attribute. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to