[
https://issues.apache.org/jira/browse/HBASE-11095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13984785#comment-13984785
]
Andrew Purtell commented on HBASE-11095:
----------------------------------------
I've thought about this some. We could build a service authorization engine
supporting fine grained decisionmaking using attributes such as client IP
address (surely the first of many), but consider:
First, Hadoop already has a nascient service authorization framework, see
https://hadoop.apache.org/docs/r2.2.0/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html
At least when our secure RPC was first committed we picked up support for
service authorization for all of our RPC protocols from the Hadoop libraries.
The current Hadoop code does not support IP filtering but it could.
Second, even if we build our own fine grained service authorization, will
Hadoop someday introduce the same facilities? There is HADOOP-9466. Incubating
projects like Apache Sentry are also working toward this kind of capability.
Third, see HBASE-7123 and HBASE-7254. To the extent that technical debt should
be paid down in the AccessController, we should factor that in.
permissionGranted and the like are where you'd start with today's code to
implement restrictions by IP address.
> Add ip restriction in user permissions
> --------------------------------------
>
> Key: HBASE-11095
> URL: https://issues.apache.org/jira/browse/HBASE-11095
> Project: HBase
> Issue Type: New Feature
> Components: security
> Reporter: Liu Shaohui
> Priority: Minor
>
> For some sensitive data, users want to restrict the from ips of hbase users
> like mysql access control.
> One direct solution is to add the candidated ips when granting user
> permisions.
> {quote}
> grant <user|@group\[@ip-regular expression\]> [ <table> [ <column family> [
> <column qualifier> ] ] ]
> {quote}
> Any comments and suggestions are welcomed.
> [~apurtell]
--
This message was sent by Atlassian JIRA
(v6.2#6252)
