[jira] [Commented] (HBASE-12644) Visibility Labels: issue with storing super users in labels table

Sat, 13 Dec 2014 23:24:49 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-12644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14245862#comment-14245862
 ] 

Anoop Sam John commented on HBASE-12644:
----------------------------------------

Will there be some issue if we keep the existing super user auth info as is in 
labels table?  I think no issue.  With this patch, we will ensure on start of 
the system we wont add the super users from now on (new deployments). But the 
flow which checks for SYSTEM label presence for the user, we have added the 
super users check new way. This should help.  Issue is when a super user is 
removed later, from the conf.  At that time another super user can remove the 
user auth... This needs a manual step.  We can document that clearly. Other 
than that all is well. Right?

> Visibility Labels: issue with storing super users in labels table
> -----------------------------------------------------------------
>
>                 Key: HBASE-12644
>                 URL: https://issues.apache.org/jira/browse/HBASE-12644
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.98.8, 0.99.2
>            Reporter: Jerry He
>            Assignee: Jerry He
>             Fix For: 1.0.0, 2.0.0, 0.98.10
>
>         Attachments: 12644-0.98.patch, HBASE-12644-master-v2.patch, 
> HBASE-12644-master-v3.patch, HBASE-12644-master.patch
>
>
> Super users have all the permissions for ACL and Visibility labels.
> They are defined in hbase-site.xml.
> Currently in VisibilityController, we persist super user with their system 
> permission in hbase:labels.
> This makes change in super user difficult.
> There are two issues:
> In the current DefaultVisibilityLabelServiceImpl.addSystemLabel, we only add 
> super user when we initially create the 'system' label.
> No additional update after that even if super user changed. See code for 
> details.
>  
> Additionally, there is no mechanism to remove any super user from the labels 
> table.
>  
> We probably should not persist super users in the labels table.
> They are in hbase-site.xml and can just stay in labelsCache and used from 
> labelsCache after retrieval by Visibility Controller.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to