[
https://issues.apache.org/jira/browse/HBASE-12823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14274664#comment-14274664
]
Anoop Sam John commented on HBASE-12823:
----------------------------------------
Having an offline talk with [~jerryhe], one scenario is that many tables in the
cluster but only one or 2 having vis labelled data. On scan the VC will
install a new Filter to Scan which goes through the tags in every cell. (Well
if there are no tags, negligible impact, but there are some other tags...)
For those tables where vis labelled data need not be stored, no need for any
extra overhead.
We allow CPs can be installed at table level also.
A solution for above scenario is to install VC as Master CP but not as region
CP at cluster level. Add VC to only those table for which we need to store vis
labelled data. (Also VC need to configured as RS CP as we have replication
rewrite and if no replication scenario just leave it)
Only thing missing from code now is we need VC to be installed on labels table
itself. If we are not installing VC at cluster level (but only per table level)
the labels table will not get this..
This can be fixed with a simple change to add VC cp into labels table when we
create it in VC#postStartMaster.
Is this better and enough for now [~jerryhe]?
> Visibility label security at limited localized level
> ----------------------------------------------------
>
> Key: HBASE-12823
> URL: https://issues.apache.org/jira/browse/HBASE-12823
> Project: HBase
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.0, 2.0.0, 0.98.10
> Reporter: Jerry He
> Fix For: 2.0.0
>
>
> Currently, if visibility label security is enabled for a HBase instance,
> after VisibilityController is configured, the cell level visibility label
> filtering will kick in across the HBase instance.
> Cell level visibility label filtering has non-negligible performance impact.
> On the other hand, in many use cases, only a small portion of the overall
> data needs visibility label protection.
> If we can support visibility label security at a limited and localized
> level, we will broaden the use cases and the adoption of this feature.
> We should be able to support visibility label security at per table or per
> column family level. This is quite common in many other HBase features.
> Cell level visibility label filtering will only be enabled and kick in for
> the tables or column families that the user designates.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
