[
https://issues.apache.org/jira/browse/HBASE-18659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16138421#comment-16138421
]
Wei-Chiu Chuang commented on HBASE-18659:
-----------------------------------------
Sounds like a pretty good proposal, and a valid use case of HDFS ACLs.
Things can get more complicated when you want to synchronize permissions
between different HFiles. You would also want to make sure the permission
exposed to HBase is in sync with other services, such as Hive or Impala, or
MapReduce.
Apache Sentry is a project where it provides a centralized authorization
management for these services. From a HDFS perspective, the authorization of a
file is delegated to Sentry, and Sentry returns a HDFS ACL that is equivalent
to Hive table permissions (RBAC).
> Use HDFS ACL to give user the ability to read snapshot directly on HDFS
> -----------------------------------------------------------------------
>
> Key: HBASE-18659
> URL: https://issues.apache.org/jira/browse/HBASE-18659
> Project: HBase
> Issue Type: New Feature
> Reporter: Duo Zhang
>
> On the dev meetup notes in Shenzhen after HBaseCon Asia, there is a topic
> about the permission to read hfiles on HDFS directly.
> {quote}
> For client-side scanner going against hfiles directly; is there a means of
> being able to pass the permissions from hbase to hdfs?
> {quote}
> And at Xiaomi we also face the same problem. {{SnapshotScanner}} is much
> faster and consumes less resources, but only super use has the ability to
> read hfile directly on HDFS.
> So here we want to use HDFS ACL to address this problem.
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#ACLs_File_System_API
> The basic idea is to set acl and default on the table directory on HDFS for
> the users who have the permission to read the table on HBase.
> Suggestions are welcomed.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
