[jira] [Commented] (HBASE-12644) Visibility Labels: issue with storing super users in labels table

Wed, 10 Dec 2014 22:34:43 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-12644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14242212#comment-14242212
 ] 

Anoop Sam John commented on HBASE-12644:
----------------------------------------

Actually the refresh will happen indirect way. The refresh has to happen in all 
RSs. So we rely on zk nodeChanged callback event. Within the same RS (which 
host labels table) also, this way it happens.  Yes there can be a time gap 
because of which tests failing. (But is this new? May be because of your change 
the ops and remaining test execution happening faster?)  There is no problem in 
explicitly calling this refresh call. Only thing is, again the nodeChanged will 
call the refresh.  We may avoid that too with slight changes.  Pls see after 
giving some time gaps btw ops (like label/auth add and scan/put) in tests and 
see whether u are getting no issue.

> Visibility Labels: issue with storing super users in labels table
> -----------------------------------------------------------------
>
>                 Key: HBASE-12644
>                 URL: https://issues.apache.org/jira/browse/HBASE-12644
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.98.8, 0.99.2
>            Reporter: Jerry He
>            Assignee: Jerry He
>             Fix For: 1.0.0, 0.98.10
>
>         Attachments: HBASE-12644-master-v2.patch, HBASE-12644-master.patch
>
>
> Super users have all the permissions for ACL and Visibility labels.
> They are defined in hbase-site.xml.
> Currently in VisibilityController, we persist super user with their system 
> permission in hbase:labels.
> This makes change in super user difficult.
> There are two issues:
> In the current DefaultVisibilityLabelServiceImpl.addSystemLabel, we only add 
> super user when we initially create the 'system' label.
> No additional update after that even if super user changed. See code for 
> details.
>  
> Additionally, there is no mechanism to remove any super user from the labels 
> table.
>  
> We probably should not persist super users in the labels table.
> They are in hbase-site.xml and can just stay in labelsCache and used from 
> labelsCache after retrieval by Visibility Controller.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to