[
https://issues.apache.org/jira/browse/HBASE-20357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16502258#comment-16502258
]
Nihal Jain edited comment on HBASE-20357 at 6/5/18 6:34 PM:
------------------------------------------------------------
The docstring of AccessChecker.requirePermission(User, String, String, Action)
can be updated. We can add params user, request. Currently I see following
method description in my IDE. Since these two params are missing, these are
displayed in an unordered fashion.
{noformat}
Authorizes that the current user has global privileges for the given action.
Parameters:
perm The action being requested
filterUser User name to be filtered as requested
user
request{noformat}
Just noticed. It is the case in each method in the aforementioned class. May be
we can fix it with this patch.
Also, proper doc can be added to differentiate user and filterUser.
was (Author: nihaljain.cs):
The docstring of AccessChecker.requirePermission(User, String, String, Action)
can be updated. We can add params user, request. Currently I see following
method description in my IDE. Since these two params are missing, these are
displayed in an unordered fashion.
{noformat}
Authorizes that the current user has global privileges for the given action.
Parameters:
perm The action being requested
filterUser User name to be filtered as requested
user
request{noformat}
> AccessControlClient API Enhancement
> -----------------------------------
>
> Key: HBASE-20357
> URL: https://issues.apache.org/jira/browse/HBASE-20357
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Pankaj Kumar
> Assignee: Pankaj Kumar
> Priority: Major
> Attachments: HBASE-20357.master.001.patch
>
>
> *Background:*
> Currently HBase ACLs can be retrieved based on the namespace or table name
> only. There is no direct API available to retrieve the permissions based on
> the namespace, table name, column family and column qualifier for specific
> user.
> Client has to write application logic in multiple steps to retrieve ACLs
> based on table name, column name and column qualifier for specific user.
> HBase should enhance AccessControlClient APIs to simplyfy this.
> *AccessControlClient API should be extended with following APIs,*
> # To retrieve permissions based on the namespace, table name, column family
> and column qualifier for specific user.
> Permissions can be retrieved based on the following inputs,
> - Namespace/Table (already available)
> - Namespace/Table + UserName
> - Table + CF
> - Table + CF + UserName
> - Table + CF + CQ
> - Table + CF + CQ + UserName
> Scope of retrieving permission will be as follows,
> - Same as existing
> 2. To validate whether a user is allowed to perform specified
> operations on a particular table, will be useful to check user privilege
> instead of getting ACD during client
> operation.
> User validation can be performed based on following inputs,
> - Table + CF + CQ + UserName + Actions
> Scope of validating user privilege,
> User can perform self check without any special privilege
> but ADMIN privilege will be required to perform check for other users.
> For example, suppose there are two users "userA" &
> "userB" then there can be below scenarios,
> - when userA want to check whether userA have
> privilege to perform mentioned actions
> > userA don't need ADMIN privilege, as it's a
> self query.
> - when userA want to check whether userB have
> privilege to perform mentioned actions,
> > userA must have ADMIN or superuser
> privilege, as it's trying to query for other user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
