Re: Cell-level security with Coprocessors

2018-04-09 Thread Jim Hughes 

Hi Anoop,

Here's a ticket for the discussion: 
https://issues.apache.org/jira/browse/HBASE-20374.


I found what you are mentioning, and I was able to integrate my custom 
coprocessor in GeoMesa by calling out to 
rs.getCoprocessorHost.preScannerOpen(scan) in order to enable the 
VisibilityController to insert its filters...


To be honest, this is definitely a corner case.  I think the fix might 
be to have the Region.getScanner implementation (2) to call out to any 
other Coprocessors to intercept as they are designed to.


Cheers,

Jim

1. 
https://github.com/locationtech/geomesa/blob/master/geomesa-hbase/geomesa-hbase-datastore/src/main/scala/org/locationtech/geomesa/hbase/coprocessor/GeoMesaCoprocessor.scala#L65
2. 
https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegion.java#L2783-L2829


On 2018-04-09 06:49, Anoop John wrote:

Hi Jim
Just taking your eg: Use cell level labels along with
AggregationClient - Tt will NOT work.  The reason is the Aggregation
impl for the server side will create scanner directly over the Region.
As you know, the cell level security features work with the help of a
co processor and it expects the CP to be informed while opening of
scanner.   But the CP contact while opening the scanner is one layer
above the Region level (ie at RSRpcServices). So when the
Aggregation service impl is opening the scanner, the visibility
related CP will not get into pic.If that was not the case, the
rest of the things would have been just fine for ur need.  Mind
opening an issue and we discuss under that for the possible fixes?

-Anoop-

On Fri, Mar 30, 2018 at 8:57 PM, Jim Hughes  wrote:

Hi all,

I'm interested in combining an HBase Coprocessor with cell level 
security.

As a quick example, suppose one wanted to use the ColumnAggregation
Processor with cells with different authorizations.  Different users 
should
be able to scan and see the sum of the entries that they'd normally be 
able

to scan.

From the first few hours of looking, it appears that Coprocessors call 
out
to the RegionServer's getScanner method which does not apply any 
security by

default.

Have others had success combining custom coprocessors with cell-level
security?  That is, are there any pointers for getting started?

Cheers,

Jim

Re: Cell-level security with Coprocessors

2018-04-09 Thread Anoop John 
Hi Jim
Just taking your eg: Use cell level labels along with
AggregationClient - Tt will NOT work.  The reason is the Aggregation
impl for the server side will create scanner directly over the Region.
As you know, the cell level security features work with the help of a
co processor and it expects the CP to be informed while opening of
scanner.   But the CP contact while opening the scanner is one layer
above the Region level (ie at RSRpcServices). So when the
Aggregation service impl is opening the scanner, the visibility
related CP will not get into pic.If that was not the case, the
rest of the things would have been just fine for ur need.  Mind
opening an issue and we discuss under that for the possible fixes?

-Anoop-

On Fri, Mar 30, 2018 at 8:57 PM, Jim Hughes  wrote:
> Hi all,
>
> I'm interested in combining an HBase Coprocessor with cell level security.
> As a quick example, suppose one wanted to use the ColumnAggregation
> Processor with cells with different authorizations.  Different users should
> be able to scan and see the sum of the entries that they'd normally be able
> to scan.
>
> From the first few hours of looking, it appears that Coprocessors call out
> to the RegionServer's getScanner method which does not apply any security by
> default.
>
> Have others had success combining custom coprocessors with cell-level
> security?  That is, are there any pointers for getting started?
>
> Cheers,
>
> Jim
>