[
https://issues.apache.org/jira/browse/HBASE-12745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jerry He updated HBASE-12745:
-----------------------------
Release Note:
VisibilityClient API and shell commands can be used to grant and clear
visibility authorizations of a group.
e.g.
set_auths '@group1', ['SECRET','PRIVATE']
get_auths '@group1'
clear_auths '@group1', ['SECRET','PRIVATE']
When checking visibility authorizations of a user, the server will include the
visibility authorizations of the groups of which the user is a member, together
with the user's own.
On the other hand, get_auths 'user1' will only get user1's own visibility
authorizations.
clear_auths 'user1' will only clear user1's own visibility authorizations.
The visibility authorizations of a group can be changed by invoking the API or
command on the '@group1' itself.
Note:
The following two methods have been deprecated in VisibilityLabelService from
0.98.10 and will be removed in 2.0+ releases.
getAuths(byte[], boolean)
havingSystemAuth(byte[])
Use the following methods instead:
getUserAuths(byte[], boolean)
getGroupAuths(String[], boolean)
havingSystemAuth(User)
was:
VisibilityClient API and shell commands can be used to grant and clear
visibility authorizations of a group.
e.g.
set_auths '@group1', ['SECRET','PRIVATE']
get_auths '@group1'
clear_auths '@group1', ['SECRET','PRIVATE']
When checking visibility authorizations of a user, the server will include the
visibility authorizations of the groups of which the user is a member, together
with the user's own.
On the other hand, get_auths 'user1' will only get user1's own visibility
authorizations.
clear_auths 'user1' will only clear user1's own visibility authorizations.
The visibility authorizations of a group can be changed by invoking the API or
command on the '@group1' itself.
> Visibility Labels: support visibility labels for user groups.
> --------------------------------------------------------------
>
> Key: HBASE-12745
> URL: https://issues.apache.org/jira/browse/HBASE-12745
> Project: HBase
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.0, 0.98.9, 0.99.2
> Reporter: Jerry He
> Assignee: Jerry He
> Fix For: 1.0.0, 2.0.0, 0.98.10, 1.1.0
>
> Attachments: HBASE-12745-master-v1.patch,
> HBASE-12745-master-v2.patch, HBASE-12745-master-v3.patch,
> HBASE-12745-master-v4.patch, HBASE-12745-master-v5.patch,
> HBASE-12745-master-v6.patch, HBASE-12745-master-v7.patch,
> HBASE-12745-v7-0.98-with-update.patch, HBASE-12745-v7-0.98.patch,
> HBASE-12745-v7-branch1.patch, hbase-12745_branch-1-addendum.patch,
> hbase-12745_branch-1-addendum2.patch
>
>
> The thinking is that we should support visibility labels to be associated
> with user groups.
> We will then be able grant visibility labels to a group in addition to
> individual users, which provides convenience and usability.
> We will use '@group' to denote a group name, as similarly done in
> AcccessController.
> For example,
> {code}
> set_auths '@group1', ['SECRET','PRIVATE']
> {code}
> {code}
> get_auth '@group1'
> {code}
> A user belonging to 'group1' will have all the visibility labels granted to
> 'group1'
> We'll also support super user groups as specified in hbase-site.xml.
> The code update will mainly be on the server side VisibilityLabelService
> implementation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
