[
https://issues.apache.org/jira/browse/HBASE-7123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13989067#comment-13989067
]
Andrew Purtell commented on HBASE-7123:
---------------------------------------
When refactoring permissionGranted, requirePermission, and related functions,
make the decisionmaking the evaluation of a chain of predicates. The chain can
be configured by site configuration or perhaps a security policy file.
We can incorporate HBASE-11095 as a predicate implementation.
> Refactor internal methods in AccessController
> ---------------------------------------------
>
> Key: HBASE-7123
> URL: https://issues.apache.org/jira/browse/HBASE-7123
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Andrew Purtell
>
> The authorize(), permissionGranted(), and requirePermission() methods in
> AccessController have organically grown as both the HBase client API and the
> AccessController itself have evolved, and now have several problems:
> - Code duplication (minor)
> - Unused variants (minor)
> - Signatures optimized for checking certain operations that have a familyMap.
> Unfortunately different operations have different ideas of what type a
> familyMap should be. This leads to runtime type checking and the need to
> convert one family map to another (e.g. {{Map<byte[],
> NavigableMap<byte[],Object>>}} to {{Map<byte[], Set<byte[]>>}} (That kind of
> conversion code in a hot path hurts to look at.) There are too many Java
> collection type combinations floating around. Some of this should be
> approached at the client API level too, for example with HBASE-7114.
> - Only one Permission.Action can be checked at a time. We should really
> convert these into a bitmap if multiple actions need checking and pass that
> around instead.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
