[
https://issues.apache.org/jira/browse/HBASE-13239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14361441#comment-14361441
]
Srikanth Srungarapu commented on HBASE-13239:
---------------------------------------------
That's super fast, [[email protected]]!
Some minor concerns:
* We can check for LOG.isDebugEnabled()
{code}
- return authorize(globalCache.getGroup(groupName), action);
+ List<Permission> perms = globalCache.getGroup(groupName);
+ LOG.debug("authorizing " + (perms != null && !perms.isEmpty() ?
perms.get(0) : "") +
+ " for " + action);
+ return authorize(perms, action);
{code}
* Any particular reason for creating a local variable *tblPerms*
{code}
+ List<TablePermission> tblPerms =
getTablePermissions(table).getGroup(groupName);
+ return authorize(tblPerms, table, family, action);
{code}
* We can reuse the new function by calling it inside existing *authorizeGroup*
by using null for qualifier value.
{code}
+ /**
+ * Checks authorization to a given table, column family and column for a
group, based
+ * on the stored permissions.
+ * @param groupName
+ * @param table
+ * @param family
+ * @param qualifier
+ * @param action
+ * @return true if known and authorized, false otherwise
+ */
+ public boolean authorizeGroup(String groupName, TableName table, byte[]
family,
+ byte[] qualifier, Permission.Action action) {
+ // Global authorization supercedes table level
+ if (authorizeGroup(groupName, action)) {
+ return true;
+ }
+ if (table == null) table = AccessControlLists.ACL_TABLE_NAME;
+ // Namespace authorization supercedes table level
+ String namespace = table.getNamespaceAsString();
+ if (authorize(getNamespacePermissions(namespace).getGroup(groupName),
namespace, action)) {
+ return true;
+ }
+ // Check table level
+ List<TablePermission> tblPerms =
getTablePermissions(table).getGroup(groupName);
+ LOG.debug("authorizing " + (tblPerms != null && !tblPerms.isEmpty() ?
tblPerms.get(0) : "") +
+ " for " +groupName + " on " + table + "." + Bytes.toString(family) + "."
+
+ Bytes.toString(qualifier) + " with " + action);
+ return authorize(tblPerms, table, family, qualifier, action);
}
{code}
> Hbase grants at specific column level does not work for Groups
> ----------------------------------------------------------------
>
> Key: HBASE-13239
> URL: https://issues.apache.org/jira/browse/HBASE-13239
> Project: HBase
> Issue Type: Bug
> Components: hbase
> Affects Versions: 0.98.4
> Reporter: Jaymin Patel
> Assignee: Ted Yu
> Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.12
>
> Attachments: 13239-v1.txt
>
>
> While performing Grant command to a specific column in a table - to a
> specific group does not produce needed results. However, when specific user
> is mentioned (instead of group name) in grant command, it becomes effective
> Steps to Reproduce :
> 1) using super-user, Grant a table/column family/column level grant to a group
> 2) login using a user ( part of the above group) and scan the table. It does
> not return any results
> 3) using super-user, Grant a table/column family/column level grant to a
> specific user ( instead of group)
> 4) login using that specific user and scan the table. It produces correct
> results, i.e. provides only the column where user has select privileges
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
