[jira] [Commented] (HBASE-6192) Document ACL matrix in the book

Thu, 19 Jun 2014 16:15:05 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14038083#comment-14038083
 ] 

Andrew Purtell commented on HBASE-6192:
---------------------------------------

bq. Can you grant at the RegionServer or master level or any others?

It's probably more useful to describe permissions as fitting into levels in the 
data model as opposed to what particular daemon might be involved in 
decisionmaking. The hierarchy is global -> namespace -> table -> cf -> cq -> 
cell. We start checking if the user has the necessary permission bit at the top 
of the hierarchy and walk down until we find a grant. So a bit granted at table 
level dominates any grants done at the cf, cf+cq, or cell level; the user can 
do what that bit implies at any location in the table. Or, a bit granted at 
global scope dominates all, the user is always allowed to take that action 
everywhere. 

Mostly, permissions for global administrative and schema operations are checked 
in the master, while permissions for queries and mutations are checked at the 
region level (since coprocessors can be installed on a per table basis). We 
also do one check for ADMIN capability at the RegionServer level, if the user 
is allowed to issue a stop request. Some admin actions like flush, compact, and 
split requests are also checked at the region level, because clients can issue 
those directly to the regionservers. 

> Document ACL matrix in the book
> -------------------------------
>
>                 Key: HBASE-6192
>                 URL: https://issues.apache.org/jira/browse/HBASE-6192
>             Project: HBase
>          Issue Type: Task
>          Components: documentation, security
>    Affects Versions: 0.94.1, 0.95.2
>            Reporter: Enis Soztutar
>            Assignee: Misty Stanley-Jones
>              Labels: documentaion, security
>             Fix For: 0.99.0
>
>         Attachments: HBASE-6192-2.patch, HBASE-6192-rebased.patch, 
> HBASE-6192.patch, HBase Security-ACL Matrix.pdf, HBase Security-ACL 
> Matrix.pdf, HBase Security-ACL Matrix.pdf, HBase Security-ACL Matrix.xls, 
> HBase Security-ACL Matrix.xls, HBase Security-ACL Matrix.xls
>
>
> We have an excellent matrix at 
> https://issues.apache.org/jira/secure/attachment/12531252/Security-ACL%20Matrix.pdf
>  for ACL. Once the changes are done, we can adapt that and put it in the 
> book, also add some more documentation about the new authorization features. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to