[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels

Tue, 29 Oct 2013 07:17:16 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13808011#comment-13808011
 ] 

Andrew Purtell commented on HBASE-7663:
---------------------------------------

V3 patch is looking pretty good Anoop.

Debug logging should be wrapped in if (LOG.isDebugEnabled()) conditionals. 

Could use an integration test. Can be follow on work, like HBASE-9846.

If ParseException is going to be thrown back to clients, it should be in 
hbase-client.

In VisibilityController you have this TODO:
{code}
TODO this can be made as a global LRU cache at HRS level?
{code}
Could be follow on work but I guess there will be another patch here soon that 
contains one?

In VisibilityController#preScannerOpen there is this empty conditional:
{code}
if (region.getRegionInfo().getTable().isSystemTable()) {

}
{code}
What is supposed to happen here?

"getSyetmAndSuperUsers" is misspelled.

In ZKVisibilityLabelWatcher should we be calling sync() on the ZK handle to 
insure we are up to date?

Should we look at javaEWAH instead of BitSet?

Consider unit test coverage for the new labels commands, I guess somewhere in 
the visibility unit tests since they require the CP to be installed.

The VisibilityController init code assumes if the AccessController is loaded it 
will be the first in the chain. Should we rely on that?

> [Per-KV security] Visibility labels
> -----------------------------------
>
>                 Key: HBASE-7663
>                 URL: https://issues.apache.org/jira/browse/HBASE-7663
>             Project: HBase
>          Issue Type: Sub-task
>          Components: Coprocessors, security
>    Affects Versions: 0.98.0
>            Reporter: Andrew Purtell
>            Assignee: Anoop Sam John
>         Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, 
> HBASE-7663_V3.patch
>
>
> Implement Accumulo-style visibility labels. Consider the following design 
> principles:
> - Coprocessor based implementation
> - Minimal to no changes to core code
> - Use KeyValue tags (HBASE-7448) to carry labels
> - Use OperationWithAttributes# {get,set}Attribute for handling visibility 
> labels in the API
> - Implement a new filter for evaluating visibility labels as KVs are streamed 
> through.
> This approach would be consistent in deployment and API details with other 
> per-KV security work, supporting environments where they might be both be 
> employed, even stacked on some tables.
> See the parent issue for more discussion.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to