[jira] [Commented] (HBASE-11384) [Visibility Controller]Check for users covering authorizations for every mutation

Wed, 23 Jul 2014 23:45:07 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-11384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14072893#comment-14072893
 ] 

ramkrishna.s.vasudevan commented on HBASE-11384:
------------------------------------------------

bq.HTD#setCheckAuthsForMutation(boolean setCheckAuths)
We can have cluster level also fine, but allowing HTD.setValue() then we have 
to expose that config outside.  Making it by default to true would mean that it 
is on by default. 
bq.We have to handle in IntegrationTestIngestWithVisibilityLabels?
I checked this and found that it is calling LoadTestTool.  That is why changed 
in LTT. Does it make sense?
bq.Just have a boolean instance member in VC and init it on postOpen()?
Okie. 
bq.AccessDeniedException is okey?
Previous comment from Andy suggested that to be AccessDenied.  Hence changed 
it. Changing to authorized is fine with me in the comment. 
bq.Why pass Configuration when you can get the same from HBaseTestingUtility?
Will remove the configuration. Initially did not pass the Testingutiliity later 
added it.
Will remove the copy paste issue in the comment. 
bq.We should fail() after the table.put() call within try block
The intention was that we would definitely get exception so wanted to validate 
the type of error alone. Fine in adding a fail() also.
bq.By default we will have auth check for labels in Mutation visibility 
expression
Yes. Fine with updating the documentation.

> [Visibility Controller]Check for users covering authorizations for every 
> mutation
> ---------------------------------------------------------------------------------
>
>                 Key: HBASE-11384
>                 URL: https://issues.apache.org/jira/browse/HBASE-11384
>             Project: HBase
>          Issue Type: Sub-task
>    Affects Versions: 0.98.3
>            Reporter: ramkrishna.s.vasudevan
>            Assignee: ramkrishna.s.vasudevan
>             Fix For: 0.99.0, 0.98.5
>
>         Attachments: HBASE-11384.patch, HBASE-11384_1.patch, 
> HBASE-11384_2.patch, HBASE-11384_3.patch, HBASE-11384_4.patch
>
>
> As part of discussions, it is better that every mutation either Put/Delete 
> with Visibility expressions should validate if the expression has labels for 
> which the user has authorization.  If not fail the mutation.
> Suppose User A is assoicated with A,B and C.  The put has a visibility 
> expression A&D. Then fail the mutation as D is not associated with User A.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to