[jira] [Commented] (HBASE-16700) Allow for coprocessor whitelisting

Mon, 14 Nov 2016 15:45:07 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-16700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15665402#comment-15665402
 ] 

Enis Soztutar commented on HBASE-16700:
---------------------------------------

bq. Here I want to allow for whitelisting coprocessors, but as once can always 
be sneaky (or ignorant) and use someone else's class name in a multi-tenant 
environment, the only permissioning point I could get a handle on was the 
filesystem. 
I was asking whether we want to do class name white listing on top of path 
white listing. It should be fine for now. 

bq. This ensures one can now use file:/// for whitelisting but no hdfs:/// 
paths to achieve what you have asked for Phoenix (or any local coprocessors).
I was more thinking of only allowing coprocessors already in the classpath. 
Phoenix coprocessors are not defined with a path, assuming that they are 
already under the hbase lib dir. So, not even random stuff from the local file 
system. If you configure the allowed path to be a non-existing path for 
example, you can achieve the affect, but it would be better if there is an 
easier way. Something like opposite of wildcard which matches no string so that 
user cannot ever dynamically load any coprocessor class. 

Can you please also add some doc / javadoc on how to configure this (maybe a 
couple of examples). 

> Allow for coprocessor whitelisting
> ----------------------------------
>
>                 Key: HBASE-16700
>                 URL: https://issues.apache.org/jira/browse/HBASE-16700
>             Project: HBase
>          Issue Type: Improvement
>          Components: Coprocessors
>            Reporter: Clay B.
>            Priority: Minor
>              Labels: security
>         Attachments: HBASE-16700.000.patch, HBASE-16700.001.patch, 
> HBASE-16700.002.patch, HBASE-16700.003.patch, HBASE-16700.004.patch, 
> HBASE-16700.005.patch
>
>
> Today one can turn off all non-system coprocessors with 
> {{hbase.coprocessor.user.enabled}} however, this disables very useful things 
> like Apache Phoenix's coprocessors. Some tenants of a multi-user HBase may 
> also need to run bespoke coprocessors. But as an operator I would not want 
> wanton coprocessor usage. Ideally, one could do one of two things:
> * Allow coprocessors defined in {{hbase-site.xml}} -- this can only be 
> administratively changed in most cases
> * Allow coprocessors from table descriptors but only if the coprocessor is 
> whitelisted



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to