[jira] [Commented] (HBASE-12823) Visibility label security at limited localized level

Fri, 16 Jan 2015 23:34:53 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-12823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14281249#comment-14281249
 ] 

ramkrishna.s.vasudevan commented on HBASE-12823:
------------------------------------------------

Chiming in very late here. 
Reading the different comments, the super user behaviour and the user's granted 
with the A and C permission for a table but with R permission of the table 
would anyway have the access to change the behaviour of the table. 
So an user with A or C permission could set the parameter on the table 
descriptor (or via column descriptor) to enable this. The VC would have access 
to this information and decide whether to act on the visibility labels or not?  
So a table with no VC would just ignore the visibility in the mutations or 
throw exception. Going with region level VC would still work out. Going with a 
patch may help us to find if any pros and cons in moving the VC to table level. 
 Any way to associate VC to a table we may need shell support and API support, 
right?

> Visibility label security at limited localized level
> ----------------------------------------------------
>
>                 Key: HBASE-12823
>                 URL: https://issues.apache.org/jira/browse/HBASE-12823
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 1.0.0, 2.0.0, 0.98.10
>            Reporter: Jerry He
>             Fix For: 2.0.0
>
>
> Currently, if visibility label security is enabled for a HBase instance, 
> after VisibilityController is configured, the cell level visibility label 
> filtering will kick in across the HBase instance.
> Cell level visibility label filtering has non-negligible performance impact.
> On the other hand, in many use cases, only a small portion of the overall 
> data needs visibility label protection.
> If we can support  visibility label security at a limited and localized 
> level, we will broaden the use cases and the adoption of this feature.
> We should be able to support visibility label security at per table or per 
> column family level. This is quite common in many other HBase features.
> Cell level visibility label filtering will only be enabled and kick in for 
> the tables or column families that the user designates.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to