[jira] [Commented] (HBASE-16700) Allow for coprocessor whitelisting

Sat, 31 Dec 2016 18:55:48 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-16700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15790420#comment-15790420
 ] 

Clay B. commented on HBASE-16700:
---------------------------------

[~stack] Thanks for thinking of the release notes! I can't seem to  do a better 
job than what you have. The best I came up with was:
"This features allows restricting filesystem deployed user coprocessors (those 
defined against a table with a JAR path). Allows for classpath coprocessors 
(e.g. Apache Phoenix) and coprocessors deployed from whitelisted file-system 
paths."

Otherwise, I would think these should be medium tests based on being nine tests 
(each are certainly expected to take less than 50 seconds) so that'd be a max 
of less than 10 minutes total serially (though they can be parallelized). As I 
understand a medium test it should take less than 30 minutes; but it may be 
true that there's not a need for all developers to end up running this?

Unfortunately, the Jenkins link seems to have become a 404, so I can't see 
which test(s) timed out to understand how they may have hung up?

> Allow for coprocessor whitelisting
> ----------------------------------
>
>                 Key: HBASE-16700
>                 URL: https://issues.apache.org/jira/browse/HBASE-16700
>             Project: HBase
>          Issue Type: Improvement
>          Components: Coprocessors
>            Reporter: Clay B.
>            Assignee: Clay B.
>            Priority: Minor
>              Labels: security
>             Fix For: 2.0.0
>
>         Attachments: HBASE-16700.000.patch, HBASE-16700.001.patch, 
> HBASE-16700.002.patch, HBASE-16700.003.patch, HBASE-16700.004.patch, 
> HBASE-16700.005.patch, HBASE-16700.006.patch, HBASE-16700.007.patch, 
> HBASE-16700.008.patch
>
>
> Today one can turn off all non-system coprocessors with 
> {{hbase.coprocessor.user.enabled}} however, this disables very useful things 
> like Apache Phoenix's coprocessors. Some tenants of a multi-user HBase may 
> also need to run bespoke coprocessors. But as an operator I would not want 
> wanton coprocessor usage. Ideally, one could do one of two things:
> * Allow coprocessors defined in {{hbase-site.xml}} -- this can only be 
> administratively changed in most cases
> * Allow coprocessors from table descriptors but only if the coprocessor is 
> whitelisted



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to