[ 
https://issues.apache.org/jira/browse/HBASE-12346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14187082#comment-14187082
 ] 

Jerry He commented on HBASE-12346:
----------------------------------

Hi, [~apurtell]
Do you have additional comment or other concern?
Looking for a nod from you.

> Scan's default auths behavior under Visibility labels
> -----------------------------------------------------
>
>                 Key: HBASE-12346
>                 URL: https://issues.apache.org/jira/browse/HBASE-12346
>             Project: HBase
>          Issue Type: Bug
>          Components: API, security
>    Affects Versions: 0.98.7, 0.99.1
>            Reporter: Jerry He
>             Fix For: 0.98.8, 0.99.2
>
>         Attachments: HBASE-12346-master-v2.patch, HBASE-12346-master.patch
>
>
> In Visibility Labels security, a set of labels (auths) are administered and 
> associated with a user.
> A user can normally  only see cell data during scan that are part of the 
> user's label set (auths).
> Scan uses setAuthorizations to indicates its wants to use the auths to access 
> the cells.
> Similarly in the shell:
> {code}
> scan 'table1', AUTHORIZATIONS => ['private']
> {code}
> But it is a surprise to find that setAuthorizations seems to be 'mandatory' 
> in the default visibility label security setting.  Every scan needs to 
> setAuthorizations before the scan can get any cells even the cells are under 
> the labels the request user is part of.
> The following steps will illustrate the issue:
> Run as superuser.
> {code}
> 1. create a visibility label called 'private'
> 2. create 'table1'
> 3. put into 'table1' data and label the data as 'private'
> 4. set_auths 'user1', 'private'
> 5. grant 'user1', 'RW', 'table1'
> {code}
> Run as 'user1':
> {code}
> 1. scan 'table1'
> This show no cells.
> 2. scan 'table1', scan 'table1', AUTHORIZATIONS => ['private']
> This will show all the data.
> {code}
> I am not sure if this is expected by design or a bug.
> But a more reasonable, more client application backward compatible, and less 
> surprising default behavior should probably look like this:
> A scan's default auths, if its Authorizations attributes is not set 
> explicitly, should be all the auths the request user is administered and 
> allowed on the server.
> If scan.setAuthorizations is used, then the server further filter the auths 
> during scan: use the input auths minus what is not in user's label set on the 
> server.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to