[
https://issues.apache.org/jira/browse/HBASE-12745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14256635#comment-14256635
]
Jerry He commented on HBASE-12745:
----------------------------------
Hi,
In VisibilityLabelService, we have this function:
{code}
/**
* Retrieve the visibility labels for the user and groups.
* @param user
* Name of the user whose authorization to be retrieved
* Can be null if only group authorizations are to be retrieved
* @param groups
* List of groups whose authorization to be retrieved
* Can be null if only user authorizations are to be retrieved
* @param systemCall
* Whether a system or user originated call.
* @return Visibility labels authorized for the given user.
*/
List<String> getAuths(byte[] user, String[] groups, boolean systemCall)
throws IOException;
{code}
In most cases on the server side, we will use the user name and groups from
{code}
User user = VisibilityUtils.getActiveUser();
{code}
In some case, if we only want to retrieve a user's visibility labels without
the implicit group expansion, (e.g. from Visibility client request) we will
pass 'null' as the group argument.
Similarly, if we only want to retrieve a group's visibility labels, we will
pass 'null' as the user name argument. e.g. From hbase shell: get_auths
'@group1'
These different requirements complicate things a little.
> Visibility Labels: support visibility labels for user groups.
> --------------------------------------------------------------
>
> Key: HBASE-12745
> URL: https://issues.apache.org/jira/browse/HBASE-12745
> Project: HBase
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.0, 0.98.9, 0.99.2
> Reporter: Jerry He
> Assignee: Jerry He
> Fix For: 2.0.0
>
> Attachments: HBASE-12745-master-v1.patch
>
>
> The thinking is that we should support visibility labels to be associated
> with user groups.
> We will then be able grant visibility labels to a group in addition to
> individual users, which provides convenience and usability.
> We will use '@group' to denote a group name, as similarly done in
> AcccessController.
> For example,
> {code}
> set_auths '@group1', ['SECRET','PRIVATE']
> {code}
> {code}
> get_auth '@group1'
> {code}
> A user belonging to 'group1' will have all the visibility labels granted to
> 'group1'
> We'll also support super user groups as specified in hbase-site.xml.
> The code update will mainly be on the server side VisibilityLabelService
> implementation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
