[
https://issues.apache.org/jira/browse/HBASE-11384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14074365#comment-14074365
]
Anoop Sam John commented on HBASE-11384:
----------------------------------------
I think we must bypass the covering auth check for super user. In oder to make
sure the distributed log replay and replication works even when the config is
ON in the cluster.
nit:
{code}
+ if (auths != null) {
+ if (!auths.contains(labelOrdinal)) {
+ throw new AccessDeniedException("Visibility label " + identifier
+ + " not authorized for the user " + userName);
+ }
+ } else {
+ throw new AccessDeniedException("Visibility label " + identifier
+ + " not authorized for the user " + userName);
+ }
{code}
Can be
{code}
+ if (auths == null || (!auths.contains(labelOrdinal))) {
+ throw new AccessDeniedException("Visibility label " + identifier
+ + " not authorized for the user " + userName);
+ }
{code}
> [Visibility Controller]Check for users covering authorizations for every
> mutation
> ---------------------------------------------------------------------------------
>
> Key: HBASE-11384
> URL: https://issues.apache.org/jira/browse/HBASE-11384
> Project: HBase
> Issue Type: Sub-task
> Affects Versions: 0.98.3
> Reporter: ramkrishna.s.vasudevan
> Assignee: ramkrishna.s.vasudevan
> Fix For: 0.99.0, 0.98.5
>
> Attachments: HBASE-11384.patch, HBASE-11384_1.patch,
> HBASE-11384_2.patch, HBASE-11384_3.patch, HBASE-11384_4.patch,
> HBASE-11384_6.patch, HBASE-11384_7.patch
>
>
> As part of discussions, it is better that every mutation either Put/Delete
> with Visibility expressions should validate if the expression has labels for
> which the user has authorization. If not fail the mutation.
> Suppose User A is assoicated with A,B and C. The put has a visibility
> expression A&D. Then fail the mutation as D is not associated with User A.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
