[jira] [Commented] (HBASE-12644) Visibility Labels: issue with storing super users in labels table

Sat, 13 Dec 2014 11:38:27 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-12644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14245499#comment-14245499
 ] 

Hudson commented on HBASE-12644:
--------------------------------

SUCCESS: Integrated in HBase-TRUNK #5917 (See 
[https://builds.apache.org/job/HBase-TRUNK/5917/])
HBASE-12644 Visibility Labels: issue with storing super users in labels table 
(Jerry He) (tedyu: rev b24518562adb5deb41a8780cead268cb163864d1)
* 
hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestEnforcingScanLabelGenerator.java
* 
hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestDefaultScanLabelGeneratorStack.java
* 
hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ZKVisibilityLabelWatcher.java
* 
hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultVisibilityLabelServiceImpl.java
* 
hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.java


> Visibility Labels: issue with storing super users in labels table
> -----------------------------------------------------------------
>
>                 Key: HBASE-12644
>                 URL: https://issues.apache.org/jira/browse/HBASE-12644
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.98.8, 0.99.2
>            Reporter: Jerry He
>            Assignee: Jerry He
>             Fix For: 1.0.0, 2.0.0, 0.98.10
>
>         Attachments: 12644-0.98.patch, HBASE-12644-master-v2.patch, 
> HBASE-12644-master-v3.patch, HBASE-12644-master.patch
>
>
> Super users have all the permissions for ACL and Visibility labels.
> They are defined in hbase-site.xml.
> Currently in VisibilityController, we persist super user with their system 
> permission in hbase:labels.
> This makes change in super user difficult.
> There are two issues:
> In the current DefaultVisibilityLabelServiceImpl.addSystemLabel, we only add 
> super user when we initially create the 'system' label.
> No additional update after that even if super user changed. See code for 
> details.
>  
> Additionally, there is no mechanism to remove any super user from the labels 
> table.
>  
> We probably should not persist super users in the labels table.
> They are in hbase-site.xml and can just stay in labelsCache and used from 
> labelsCache after retrieval by Visibility Controller.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to