[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization

Fri, 27 Mar 2015 04:19:50 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14383673#comment-14383673
 ] 

Anoop Sam John commented on HBASE-13275:
----------------------------------------

bq.Of course you'll want to drop the ACL table before starting over with active 
enforcement, issuing necessary grants again.
So what will be the real adv of we allow the admin ops in passive mode? Am I 
missing any thing?

bq.Regarding cell ACLs, ACL tags can be submitted directly by the client via 
cells with tags unless the AC is installed. It's no different if the AC is 
passive. Either way when you set up for enforcement you'll want to wipe the 
data and start new. Or, if this is a case where an insecure application is 
being migrated to a secure environment (with or without a passive trial) then 
we'd already need a migration tool that sanitizes pre-existing data.
One correction Andy..  It is not possible for the client to pass the cell acl 
(and vis labels) directly within Cell. That should not be allowed in future 
also IMO. Right now any way we dont allow passing Tags from client to server 
(Unless user is a super user)


> Setting hbase.security.authorization to false does not disable authorization
> ----------------------------------------------------------------------------
>
>                 Key: HBASE-13275
>                 URL: https://issues.apache.org/jira/browse/HBASE-13275
>             Project: HBase
>          Issue Type: Bug
>            Reporter: William Watson
>            Assignee: Andrew Purtell
>             Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13
>
>         Attachments: HBASE-13275.patch, HBASE-13275.patch
>
>
> According to the docs provided by Cloudera (we're not running Cloudera, BTW), 
> this is the list of configs to enable authorization in HBase:
> {code}
> <property>
>      <name>hbase.security.authorization</name>
>      <value>true</value>
> </property>
> <property>
>      <name>hbase.coprocessor.master.classes</name>
>      <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>      <name>hbase.coprocessor.region.classes</name>
>      
> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> {code}
> We wanted to then disable authorization but simply setting 
> hbase.security.authorization to false did not disable the authorization



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to