[
https://issues.apache.org/jira/browse/HBASE-20357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pankaj Kumar updated HBASE-20357:
---------------------------------
Release Note:
This enhances the AccessControlClient APIs to retrieve the permissions based on
namespace, table name, family and qualifier for specific user.
AccessControlClient can also validate a user whether allowed to perform
specified operations on a particular table.
Following APIs have been added,
1) getUserPermissions(Connection connection, String tableRegex, byte[]
columnFamily, byte[] columnQualifier, String userName)
Scope of retrieving permission will be same as existing.
2) hasPermission(onnection connection, String tableName, byte[] columnFamily,
byte[] columnQualifier, String userName, Permission.Action... actions)
Scope of validating user privilege,
User can perform self check without any special privilege but ADMIN
privilege will be required to perform check for other users.
For example, suppose there are two users "userA" & "userB" then
there can be below scenarios,
a. When userA want to check whether userA have privilege to perform
mentioned actions
userA don't need ADMIN privilege, as it's a self query.
b. When userA want to check whether userB have privilege to perform
mentioned actions,
userA must have ADMIN or superuser privilege, as it's trying
to query for other user.
> AccessControlClient API Enhancement
> -----------------------------------
>
> Key: HBASE-20357
> URL: https://issues.apache.org/jira/browse/HBASE-20357
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Pankaj Kumar
> Assignee: Pankaj Kumar
> Priority: Major
> Attachments: HBASE-20357.master.001.patch,
> HBASE-20357.master.002.patch, HBASE-20357.master.003.patch
>
>
> *Background:*
> Currently HBase ACLs can be retrieved based on the namespace or table name
> only. There is no direct API available to retrieve the permissions based on
> the namespace, table name, column family and column qualifier for specific
> user.
> Client has to write application logic in multiple steps to retrieve ACLs
> based on table name, column name and column qualifier for specific user.
> HBase should enhance AccessControlClient APIs to simplyfy this.
> *AccessControlClient API should be extended with following APIs,*
> # To retrieve permissions based on the namespace, table name, column family
> and column qualifier for specific user.
> Permissions can be retrieved based on the following inputs,
> - Namespace/Table (already available)
> - Namespace/Table + UserName
> - Table + CF
> - Table + CF + UserName
> - Table + CF + CQ
> - Table + CF + CQ + UserName
> Scope of retrieving permission will be as follows,
> - Same as existing
> 2. To validate whether a user is allowed to perform specified
> operations on a particular table, will be useful to check user privilege
> instead of getting ACD during client
> operation.
> User validation can be performed based on following inputs,
> - Table + CF + CQ + UserName + Actions
> Scope of validating user privilege,
> User can perform self check without any special privilege
> but ADMIN privilege will be required to perform check for other users.
> For example, suppose there are two users "userA" &
> "userB" then there can be below scenarios,
> - when userA want to check whether userA have
> privilege to perform mentioned actions
> > userA don't need ADMIN privilege, as it's a
> self query.
> - when userA want to check whether userB have
> privilege to perform mentioned actions,
> > userA must have ADMIN or superuser
> privilege, as it's trying to query for other user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
