[
https://issues.apache.org/jira/browse/HBASE-11434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052181#comment-14052181
]
Hudson commented on HBASE-11434:
--------------------------------
SUCCESS: Integrated in HBase-0.98-on-Hadoop-1.1 #354 (See
[https://builds.apache.org/job/HBase-0.98-on-Hadoop-1.1/354/])
HBASE-11434 [AccessController] Disallow inbound cells with reserved tags
(apurtell: rev 54c186b42c3c77248783d2c3d9181c12e7b06802)
*
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
*
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
> [AccessController] Disallow inbound cells with reserved tags
> ------------------------------------------------------------
>
> Key: HBASE-11434
> URL: https://issues.apache.org/jira/browse/HBASE-11434
> Project: HBase
> Issue Type: Improvement
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Fix For: 0.99.0, 0.98.4
>
> Attachments: HBASE-11434.patch, HBASE-11434.patch, HBASE-11434.patch,
> HBASE-11434.patch
>
>
> The AccessController allows users to store cells with ACL tags encoded by the
> client. This isn't a security issue currently, because in order to store the
> cell the user must have a relevant WRITE grant, and the user is allowed to
> specify whatever ACL for the cell they'd like. However it could become a
> correctness problem in the future, if we introduce format sanity checking or
> the like, so let's disallow inbound mutations containing cells with reserved
> tags like the VisibilityController does.
> The check is skipped if the active user is a superuser. First, superusers are
> allowed to do anything. Second, replication (as superuser) must be able to
> store incoming cells with ACL tags.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
