[jira] [Commented] (HBASE-16071) The VisibilityLabelFilter should not count the "delete cell"

[ChiaPing Tsai (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HBASE-16071?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15346218#comment-15346218
 ] 

ChiaPing Tsai commented on HBASE-16071:
---------------------------------------

The raw scan is useful for troubleshooting or backup. For example, we can log 
all mutations to trace the user behavior or restore a table to point in time.
It seems to me that the purpose of raw scan remains unchanged whether the raw 
scan is ran with security or not. The raw scan retrieves all delete marker and 
deleted cells w/o ACL and visibility. On the other hand, the raw scan ran in 
the secure HBase retrieves the same cells, excluding the unpermissible cells.

thanks

> The VisibilityLabelFilter should not count the "delete cell"
> ------------------------------------------------------------
>
>                 Key: HBASE-16071
>                 URL: https://issues.apache.org/jira/browse/HBASE-16071
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 2.0.0
>            Reporter: ChiaPing Tsai
>            Assignee: ChiaPing Tsai
>            Priority: Minor
>             Fix For: 2.0.0, 1.3.0, 1.4.0
>
>         Attachments: HBASE-16071-v1.patch
>
>
> The VisibilityLabelFilter will see and count the "delete cell" if the 
> scan.isRaw() returns true, so the (put) cell will be skipped if it has lower 
> version than "delete cell"
> The critical code is shown below:
> {code:title=VisibilityLabelFilter.java|borderStyle=solid}
>   public ReturnCode filterKeyValue(Cell cell) throws IOException {
>     if (curFamily.getBytes() == null
>         || !(CellUtil.matchingFamily(cell, curFamily.getBytes(), 
> curFamily.getOffset(),
>             curFamily.getLength()))) {
>       curFamily.set(cell.getFamilyArray(), cell.getFamilyOffset(), 
> cell.getFamilyLength());
>       // For this family, all the columns can have max of 
> curFamilyMaxVersions versions. No need to
>       // consider the older versions for visibility label check.
>       // Ideally this should have been done at a lower layer by HBase (?)
>       curFamilyMaxVersions = cfVsMaxVersions.get(curFamily);
>       // Family is changed. Just unset curQualifier.
>       curQualifier.unset();
>     }
>     if (curQualifier.getBytes() == null
>         || !(CellUtil.matchingQualifier(cell, curQualifier.getBytes(), 
> curQualifier.getOffset(),
>             curQualifier.getLength()))) {
>       curQualifier.set(cell.getQualifierArray(), cell.getQualifierOffset(),
>           cell.getQualifierLength());
>       curQualMetVersions = 0;
>     }
>     curQualMetVersions++;
>     if (curQualMetVersions > curFamilyMaxVersions) {
>       return ReturnCode.SKIP;
>     }
>     return this.expEvaluator.evaluate(cell) ? ReturnCode.INCLUDE : 
> ReturnCode.SKIP;
>   }
> {code}
> [VisibilityLabelFilter.java|https://github.com/apache/hbase/blob/d7a4499dfc8b3936a0eca867589fc2b23b597866/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelFilter.java]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)