[jira] [Commented] (HBASE-20357) AccessControlClient API Enhancement

Fri, 22 Jun 2018 11:25:35 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-20357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16520659#comment-16520659
 ] 

Pankaj Kumar commented on HBASE-20357:
--------------------------------------

Uploaded 002 patch, addressed the RB comments, checkstyle and findbugs warning.

> AccessControlClient API Enhancement
> -----------------------------------
>
>                 Key: HBASE-20357
>                 URL: https://issues.apache.org/jira/browse/HBASE-20357
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Pankaj Kumar
>            Assignee: Pankaj Kumar
>            Priority: Major
>         Attachments: HBASE-20357.master.001.patch, 
> HBASE-20357.master.002.patch
>
>
> *Background:*
>  Currently HBase ACLs can be retrieved based on the namespace or table name 
> only. There is no direct API available to retrieve the permissions based on 
> the namespace, table name, column family and column qualifier for specific 
> user.
> Client has to write application logic in multiple steps to retrieve ACLs 
> based on table name, column name and column qualifier for specific user.
>  HBase should enhance AccessControlClient APIs to simplyfy this.
> *AccessControlClient API should be extended with following APIs,*    
>  # To retrieve permissions based on the namespace, table name, column family 
> and column qualifier for specific user.
>   Permissions can be retrieved based on the following inputs,
>        - Namespace/Table (already available)
>        - Namespace/Table + UserName
>        - Table + CF
>        - Table + CF + UserName
>        - Table + CF + CQ
>        - Table + CF + CQ + UserName
>           Scope of retrieving permission will be as follows,
>                  - Same as existing
>        2. To validate whether a user is allowed to perform specified 
> operations on a particular table, will be useful to check user privilege 
> instead of getting ACD during client                                    
> operation.
>              User validation can be performed based on following inputs, 
>                   - Table + CF + CQ + UserName + Actions
>             Scope of validating user privilege,
>                     User can perform self check without any special privilege 
> but ADMIN privilege will be required to perform check for other users.
>                     For example, suppose there are two users "userA" & 
> "userB" then there can be below scenarios,
>                         - when userA want to check whether userA have 
> privilege to perform mentioned actions
>                                 > userA don't need ADMIN privilege, as it's a 
> self query.
>                        - when userA want to check whether userB have 
> privilege to perform mentioned actions,
>                                 > userA must have ADMIN or superuser 
> privilege, as it's trying to query for other user.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to