[jira] [Commented] (HBASE-3025) Coprocessor based simple access control

[Gary Helmling (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HBASE-3025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13153040#comment-13153040
 ] 

Gary Helmling commented on HBASE-3025:
--------------------------------------

Hmm, the TestAdmin failure might be due to HConnectionKey changes in 
HBASE-2742?  The error is:

{noformat}
org.apache.hadoop.hbase.ZooKeeperConnectionException: An error is preventing 
HBase from connecting to ZooKeeper
        at 
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.getZooKeeperWatcher(HConnectionManager.java:1266)
        at 
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.setupZookeeperTrackers(HConnectionManager.java:568)
        at 
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.<init>(HConnectionManager.java:559)
        at 
org.apache.hadoop.hbase.client.HConnectionManager.getConnection(HConnectionManager.java:183)
        at org.apache.hadoop.hbase.client.HBaseAdmin.<init>(HBaseAdmin.java:110)
        at 
org.apache.hadoop.hbase.client.HBaseAdmin.checkHBaseAvailable(HBaseAdmin.java:1523)
        at 
org.apache.hadoop.hbase.client.TestAdmin.testCheckHBaseAvailableClosesConnection(TestAdmin.java:1416)
...
Caused by: java.io.IOException: Too many open files
        at sun.nio.ch.IOUtil.initPipe(Native Method)
        at sun.nio.ch.EPollSelectorImpl.<init>(EPollSelectorImpl.java:49)
        at 
sun.nio.ch.EPollSelectorProvider.openSelector(EPollSelectorProvider.java:18)
        at java.nio.channels.Selector.open(Selector.java:209)
        at org.apache.zookeeper.ClientCnxn.<init>(ClientCnxn.java:160)
        at org.apache.zookeeper.ClientCnxn.<init>(ClientCnxn.java:331)
        at org.apache.zookeeper.ZooKeeper.<init>(ZooKeeper.java:377)
        at 
org.apache.hadoop.hbase.zookeeper.RecoverableZooKeeper.<init>(RecoverableZooKeeper.java:82)
        at org.apache.hadoop.hbase.zookeeper.ZKUtil.connect(ZKUtil.java:102)
        at 
org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher.<init>(ZooKeeperWatcher.java:131)
        at 
org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher.<init>(ZooKeeperWatcher.java:105)
        at 
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.getZooKeeperWatcher(HConnectionManager.java:1262)
        ... 38 more
{noformat}

Looking into it and will see if I can repro.  I've been getting no failures 
locally.
                
> Coprocessor based simple access control
> ---------------------------------------
>
>                 Key: HBASE-3025
>                 URL: https://issues.apache.org/jira/browse/HBASE-3025
>             Project: HBase
>          Issue Type: Sub-task
>          Components: coprocessors
>            Reporter: Andrew Purtell
>            Priority: Critical
>             Fix For: 0.92.0
>
>         Attachments: HBASE-3025.1.patch, HBASE-3025_5.patch
>
>
> Thanks for the clarification Jeff which reminds me to edit this issue.
> Goals of this issue
> # Client access to HBase is authenticated
> # User data is private unless access has been granted
> # Access to data can be granted at a table or per column family basis. 
> Non-Goals of this issue
> The following items will be left out of the initial implementation for 
> simplicity:
> # Row-level or per value (cell) This would require broader changes for 
> storing the ACLs inline with rows. It's still a future goal, but would slow 
> down the initial implementation considerably.
> # Push down of file ownership to HDFS While table ownership seems like a 
> useful construct to start with (at least to lay the groundwork for future 
> changes), making HBase act as table owners when interacting with HDFS would 
> require more changes. In additional, while HDFS file ownership would make 
> applying quotas easy, and possibly make bulk imports more straightforward, 
> it's not clean it would offer a more secure setup. We'll leave this to 
> evaluate in a later phase.
> # HBase managed "roles" as collections of permissions We will not model 
> "roles" internally in HBase to begin with. We will instead allow group names 
> to be granted permissions, which will allow some external modeling of roles 
> via group memberships. Groups will be created and manipulated externally to 
> HBase. 
> While the assignment of permissions to roles and roles to users (or other 
> roles) allows a great deal of flexibility in security policy, it would add 
> complexity to the initial implementation. 
> After the initial implementation, which will appear on this issue, we will 
> evaluate the addition of role definitions internal to HBase in a new JIRA. In 
> this scheme, administrators could assign permissions specifying HDFS groups, 
> and additionally HBase roles. HBase roles would be created and manipulated 
> internally to HBase, and would appear distinct from HDFS groups via some 
> syntactic sugar. HBase role definitions will be allowed to reference other 
> HBase role definitions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira