[ https://issues.apache.org/jira/browse/HBASE-12745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14268906#comment-14268906 ]
Anoop Sam John commented on HBASE-12745: ---------------------------------------- One suggestion {code} - public boolean havingSystemAuth(byte[] user) throws IOException { + public boolean havingSystemAuth(User user) throws IOException { // A super user has 'system' auth. if (isSystemOrSuperUser(user)) { return true; } // A user can also be explicitly granted 'system' auth. - List<String> auths = this.getAuths(user, true); + Set<String> auths = new HashSet<String>(); + auths.addAll(this.getUserAuths(Bytes.toBytes(user.getShortName()), true)); + auths.addAll(this.getGroupAuths(user.getGroupNames(), true)); if (LOG.isTraceEnabled()) { - LOG.trace("The auths for user " + Bytes.toString(user) + " are " + auths); + LOG.trace("The auths for user " + user.getShortName() + " are " + auths); } return auths.contains(SYSTEM_LABEL); } {code} Better do early check for SYSTEM_LABEL for user auths and early out. Then go with group auths Else looks good.. > Visibility Labels: support visibility labels for user groups. > -------------------------------------------------------------- > > Key: HBASE-12745 > URL: https://issues.apache.org/jira/browse/HBASE-12745 > Project: HBase > Issue Type: Improvement > Components: security > Affects Versions: 1.0.0, 0.98.9, 0.99.2 > Reporter: Jerry He > Assignee: Jerry He > Fix For: 2.0.0 > > Attachments: HBASE-12745-master-v1.patch, > HBASE-12745-master-v2.patch, HBASE-12745-master-v3.patch > > > The thinking is that we should support visibility labels to be associated > with user groups. > We will then be able grant visibility labels to a group in addition to > individual users, which provides convenience and usability. > We will use '@group' to denote a group name, as similarly done in > AcccessController. > For example, > {code} > set_auths '@group1', ['SECRET','PRIVATE'] > {code} > {code} > get_auth '@group1' > {code} > A user belonging to 'group1' will have all the visibility labels granted to > 'group1' > We'll also support super user groups as specified in hbase-site.xml. > The code update will mainly be on the server side VisibilityLabelService > implementation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)