[
https://issues.apache.org/jira/browse/HBASE-20357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16520764#comment-16520764
]
Ted Yu commented on HBASE-20357:
--------------------------------
There are 3 pairs of
bq. result.getParams().addExtraParam("filterUser", filterUser);
in if / else blocks which can be lifted outside the if.
For class InputUser :
{code}
+ public String toString() {
+ return name;
{code}
Should group name be included ?
{code}
+ public static List<String> getUserGroups(String user) {
+ List<String> userGroup = new ArrayList<String>();
{code}
Looks like the empty ArrayList is only needed in case of IOE.
I think you can move the assignment of the empty ArrayList to the catch block.
{code}
+ * Returns the currently granted permissions for a given table with
associated permissions based
+ * on the specified column family, column qualifier and user name.
+ */
+ static List<UserPermission> getUserPermissions(Configuration conf, byte[]
entryName, byte[] cf,
{code}
The entryName may mean namespace. Please modify javadoc to reflect this.
{code}
+ if (filterUser != null) {
+ // Validate the filterUser when specified
+ if (!validateFilterUser(username, filterUser, filterUserGroups)
+ || !validateCFAndCQ(permFamily, cf, permQualifier, cq)) {
{code}
The validateCFAndCQ call is common to with and without filterUser. It can be
lifted outside the if.
> AccessControlClient API Enhancement
> -----------------------------------
>
> Key: HBASE-20357
> URL: https://issues.apache.org/jira/browse/HBASE-20357
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Pankaj Kumar
> Assignee: Pankaj Kumar
> Priority: Major
> Attachments: HBASE-20357.master.001.patch,
> HBASE-20357.master.002.patch
>
>
> *Background:*
> Currently HBase ACLs can be retrieved based on the namespace or table name
> only. There is no direct API available to retrieve the permissions based on
> the namespace, table name, column family and column qualifier for specific
> user.
> Client has to write application logic in multiple steps to retrieve ACLs
> based on table name, column name and column qualifier for specific user.
> HBase should enhance AccessControlClient APIs to simplyfy this.
> *AccessControlClient API should be extended with following APIs,*
> # To retrieve permissions based on the namespace, table name, column family
> and column qualifier for specific user.
> Permissions can be retrieved based on the following inputs,
> - Namespace/Table (already available)
> - Namespace/Table + UserName
> - Table + CF
> - Table + CF + UserName
> - Table + CF + CQ
> - Table + CF + CQ + UserName
> Scope of retrieving permission will be as follows,
> - Same as existing
> 2. To validate whether a user is allowed to perform specified
> operations on a particular table, will be useful to check user privilege
> instead of getting ACD during client
> operation.
> User validation can be performed based on following inputs,
> - Table + CF + CQ + UserName + Actions
> Scope of validating user privilege,
> User can perform self check without any special privilege
> but ADMIN privilege will be required to perform check for other users.
> For example, suppose there are two users "userA" &
> "userB" then there can be below scenarios,
> - when userA want to check whether userA have
> privilege to perform mentioned actions
> > userA don't need ADMIN privilege, as it's a
> self query.
> - when userA want to check whether userB have
> privilege to perform mentioned actions,
> > userA must have ADMIN or superuser
> privilege, as it's trying to query for other user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
