[ https://issues.apache.org/jira/browse/HBASE-12745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14256635#comment-14256635 ]
Jerry He commented on HBASE-12745: ---------------------------------- Hi, In VisibilityLabelService, we have this function: {code} /** * Retrieve the visibility labels for the user and groups. * @param user * Name of the user whose authorization to be retrieved * Can be null if only group authorizations are to be retrieved * @param groups * List of groups whose authorization to be retrieved * Can be null if only user authorizations are to be retrieved * @param systemCall * Whether a system or user originated call. * @return Visibility labels authorized for the given user. */ List<String> getAuths(byte[] user, String[] groups, boolean systemCall) throws IOException; {code} In most cases on the server side, we will use the user name and groups from {code} User user = VisibilityUtils.getActiveUser(); {code} In some case, if we only want to retrieve a user's visibility labels without the implicit group expansion, (e.g. from Visibility client request) we will pass 'null' as the group argument. Similarly, if we only want to retrieve a group's visibility labels, we will pass 'null' as the user name argument. e.g. From hbase shell: get_auths '@group1' These different requirements complicate things a little. > Visibility Labels: support visibility labels for user groups. > -------------------------------------------------------------- > > Key: HBASE-12745 > URL: https://issues.apache.org/jira/browse/HBASE-12745 > Project: HBase > Issue Type: Improvement > Components: security > Affects Versions: 1.0.0, 0.98.9, 0.99.2 > Reporter: Jerry He > Assignee: Jerry He > Fix For: 2.0.0 > > Attachments: HBASE-12745-master-v1.patch > > > The thinking is that we should support visibility labels to be associated > with user groups. > We will then be able grant visibility labels to a group in addition to > individual users, which provides convenience and usability. > We will use '@group' to denote a group name, as similarly done in > AcccessController. > For example, > {code} > set_auths '@group1', ['SECRET','PRIVATE'] > {code} > {code} > get_auth '@group1' > {code} > A user belonging to 'group1' will have all the visibility labels granted to > 'group1' > We'll also support super user groups as specified in hbase-site.xml. > The code update will mainly be on the server side VisibilityLabelService > implementation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)