[ https://issues.apache.org/jira/browse/HBASE-10322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13875990#comment-13875990 ]
Lars Hofhansl commented on HBASE-10322: --------------------------------------- I am a bit late to this party. The visibility tags control what a *client* can see, right? Then what's a "client"? A client is outside of the HBase cluster outside of HBase's control. So HFile, HLog are not a client. Replication is also not a client. Export is a client, just like any other Java/Thrift/MR/etc client. As Andy points out the interesting part here are these real clients. Are the tags themselves (i.e. who sees what) more sensitive than the data that can be accessed. I.e. if I can see a certain KV, should I be able to see its visibility tags? * If the answer is "yes", this is an easy problem in principle and squarely in the hands of an HBase admin to setup access correctly. You just run Export/etc as a user with sufficient access and all problems just go away. * If the answer is "no" it gets murky quickly. Now all tools and access paths need to be considered individually. Maybe we can even have a tag that controls the visibility of the tags? Generally anything that we hardware assumes something about desired behavior that might not be the same at every institution. > Strip tags from KV while sending back to client on reads > -------------------------------------------------------- > > Key: HBASE-10322 > URL: https://issues.apache.org/jira/browse/HBASE-10322 > Project: HBase > Issue Type: Bug > Affects Versions: 0.98.0 > Reporter: Anoop Sam John > Assignee: Anoop Sam John > Priority: Blocker > Fix For: 0.98.0, 0.99.0 > > Attachments: HBASE-10322.patch, HBASE-10322_V2.patch, > HBASE-10322_codec.patch > > > Right now we have some inconsistency wrt sending back tags on read. We do > this in scan when using Java client(Codec based cell block encoding). But > during a Get operation or when a pure PB based Scan comes we are not sending > back the tags. So any of the below fix we have to do > 1. Send back tags in missing cases also. But sending back visibility > expression/ cell ACL is not correct. > 2. Don't send back tags in any case. This will a problem when a tool like > ExportTool use the scan to export the table data. We will miss exporting the > cell visibility/ACL. > 3. Send back tags based on some condition. It has to be per scan basis. > Simplest way is pass some kind of attribute in Scan which says whether to > send back tags or not. But believing some thing what scan specifies might not > be correct IMO. Then comes the way of checking the user who is doing the > scan. When a HBase super user doing the scan then only send back tags. So > when a case comes like Export Tool's the execution should happen from a super > user. > So IMO we should go with #3. > Patch coming soon. -- This message was sent by Atlassian JIRA (v6.1.5#6160)