[
https://issues.apache.org/jira/browse/HBASE-21591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Clay B. resolved HBASE-21591.
-----------------------------
Resolution: Won't Fix
I do not have the intention to work on this further as I have been informed one
can achieve this using Apache Ranger in front of HBase.
> Support ability to have host based permissions
> ----------------------------------------------
>
> Key: HBASE-21591
> URL: https://issues.apache.org/jira/browse/HBASE-21591
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Clay B.
> Assignee: Clay B.
> Priority: Trivial
>
> Today, one can put in an ACL rule where a user is not permitted to read data
> but can insert data (e.g. {{grant 'user', 'table', 'W'}}). However, one can
> not implement HBase as a "drop-box" for data where by in a secure network,
> one can read and write data but outside that secure network one can only
> write data; and I do not believe this is possible with custom access
> controllers, unless one "wraps" HBase; e.g. with the HBase REST server.
> I have been pushing for this model (e.g. [Of Data Dropboxes and Data
> Gloveboxes|https://thestrangeloop.com/2018/of-data-dropboxes-and-data-gloveboxes.html]
> or
> [slides|http://clayb.net/presentations/Of%20Data%20Dropboxes%20and%20Data%20Gloveboxes.pdf])
> in a number of technologies for some data compartmentalization initiatives.
> I propose passing the requester's host information through the HBase
> authentication stack so that the ACL model in HBase can work akin to the SQL
> semantics of {{user@host}} or {{user@<anywhere>}}.The expected impact would
> be to HBase private interfaces only, so far in POC'ing it seems the following
> would be impacted:
> Access Control Classes/ACL Table Management:
> * AccessControlUtil
> * UserPermission
> * AccessChecker
> * AccessControlFilter
> * AccessController
> * AuthResult
> * TableAuthManager
> * AccessControl.proto
> Co-Processor APIs for Checking Authentication:
> * CoprocessorHost
> * ObserverContext
> * ObserverContextImpl
> * RSRpcServices
> * RSGroupAdminEndpoint
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
