[
https://issues.apache.org/jira/browse/HBASE-11432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14046920#comment-14046920
]
Andrew Purtell commented on HBASE-11432:
----------------------------------------
bq. This first 'if' check will mean that even if compatibleEarlyTermination is
false or true it is not going to check the cell level permission.
cellFeaturesEnabled is always true unless running with HFile < 3, so in the
typical case this expression is
{code}
if (false || compatibleEarlyTermination)
{code}
So this is really a test for 'compatibleEarlyTermination'.
{quote}
But if we allow that then the || condition in
{code}
if (authManager.authorize(user, table, family, qualifier,
Permission.Action.READ) ||
authManager.authorize(user, table, cell, Permission.Action.READ)) {
return ReturnCode.INCLUDE;
}
{code}
has to be changed to
{code}
authManager.authorize(user, table, cell, Permission.Action.READ))
{code}
{quote}
This code is also called from AccessControlFilter when processing scans.
> [AccessController] Remove cell first strategy
> ---------------------------------------------
>
> Key: HBASE-11432
> URL: https://issues.apache.org/jira/browse/HBASE-11432
> Project: HBase
> Issue Type: Bug
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Fix For: 0.99.0, 0.98.4
>
> Attachments: HBASE-11432.patch
>
>
> The cell first evaluation strategy for cell ACLs has been a problem since
> introduction. It was an afterthought and a mistake. It's not possible to use
> at all with the default config on trunk after HBASE-11077. Fairly certain
> there are no users. Remove. Deprecate related client API methods on Query.
> (Remove on trunk?)
--
This message was sent by Atlassian JIRA
(v6.2#6252)
