[
https://issues.apache.org/jira/browse/HBASE-11699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Purtell updated HBASE-11699:
-----------------------------------
Fix Version/s: (was: 0.98.7)
0.98.8
I don't think the latest patch fully addressed above comments, which I suspect
why there hasn't been additional comment on this issue. In the latest patch I
see a new class RegionServersMetaTableAccessor and a backing table strictly
concerned with including or excluding hosts. This doesn't generalize to a
region server settings table as suggested by [~mbertozzi] and [~busbey].
If we don't want to do more than make an access control decision on the META
table using a combination of inclusion and exclusion lists, then alternatively
this could be implemented in the AccessController. The latest patch on this
issue proposes a narrowly focused access control component in core, so move it
into the existing AccessController component, perhaps a (backwards compatible)
extension to ACLs that restricts their scope to an address or hostname, the
latter preferably. Then a blacklist could be expressed as one or more ACL
entries with an empty global perm set qualified with a hostname. Or a whitelist
could be expressed as first a global ACL denying reads to META followed by a
set of global ACLs allowing reads to META qualified with hostnames. (We'd need
to insure the AccessController does the right thing for the whitelist case, by
engineering an ACL sort order where grants-by-host sort above a global empty
perm set in the ACL table.) Historically I've resisted putting service
authorization logic into the AccessController, such as IP / server name based
access decisions, but we are not going to see a capable unified service
authorization framework coming out of Hadoop core, instead a set of competing
incompatible alternatives with varying degrees of uptake, so we might want to
take service authorization matters into our own hands.
Moving to 0.98.8
> Region servers exclusion list to HMaster.
> -----------------------------------------
>
> Key: HBASE-11699
> URL: https://issues.apache.org/jira/browse/HBASE-11699
> Project: HBase
> Issue Type: New Feature
> Components: Admin, Client, regionserver, Zookeeper
> Affects Versions: 0.98.3
> Reporter: Gomathivinayagam Muthuvinayagam
> Priority: Minor
> Labels: patch
> Fix For: 2.0.0, 0.98.8, 0.99.1
>
> Attachments: HBASE_11699.patch, HBASE_11699_v1.patch,
> HBASE_11699_v2.patch, HBASE_11699_v3.patch, HBASE_11699_v4.patch,
> HBASE_11699_v5.patch, HBASE_11699_v6.patch, HBASE_11699_v7.patch
>
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> Currently HBase does not support adding set of region servers to be in the
> exclusion list. So that administrators can prevent accidental startups of
> some region servers to join the cluster. There was initially some work done,
> and it is available in https://issues.apache.org/jira/browse/HBASE-3833. It
> was not done after that.
> I am planning to contribute it as a patch, and I would like to do some
> improvements as well. Instead of storing the exclusion entries on a file, I
> am planning to store it on zookeeper. Can anyone suggest thoughts on this?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
