[ https://issues.apache.org/jira/browse/HBASE-3025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13153404#comment-13153404 ]
Hudson commented on HBASE-3025: ------------------------------- Integrated in HBase-TRUNK #2459 (See [https://builds.apache.org/job/HBase-TRUNK/2459/]) HBASE-3025 Security: coprocessor based access control garyh : Files : * /hbase/trunk/CHANGES.txt * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlFilter.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessControllerProtocol.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/Permission.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/TablePermission.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/UserPermission.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionsWatcher.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionObserver.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java * /hbase/trunk/src/main/resources/hbase-default.xml * /hbase/trunk/src/main/ruby/hbase.rb * /hbase/trunk/src/main/ruby/hbase/admin.rb * /hbase/trunk/src/main/ruby/hbase/hbase.rb * /hbase/trunk/src/main/ruby/hbase/security.rb * /hbase/trunk/src/main/ruby/shell.rb * /hbase/trunk/src/main/ruby/shell/commands.rb * /hbase/trunk/src/main/ruby/shell/commands/grant.rb * /hbase/trunk/src/main/ruby/shell/commands/revoke.rb * /hbase/trunk/src/main/ruby/shell/commands/user_permission.rb > Coprocessor based simple access control > --------------------------------------- > > Key: HBASE-3025 > URL: https://issues.apache.org/jira/browse/HBASE-3025 > Project: HBase > Issue Type: Sub-task > Components: coprocessors > Reporter: Andrew Purtell > Priority: Critical > Fix For: 0.92.0 > > Attachments: HBASE-3025.1.patch, HBASE-3025_5.patch, > HBASE-3025_6.patch > > > Thanks for the clarification Jeff which reminds me to edit this issue. > Goals of this issue > # Client access to HBase is authenticated > # User data is private unless access has been granted > # Access to data can be granted at a table or per column family basis. > Non-Goals of this issue > The following items will be left out of the initial implementation for > simplicity: > # Row-level or per value (cell) This would require broader changes for > storing the ACLs inline with rows. It's still a future goal, but would slow > down the initial implementation considerably. > # Push down of file ownership to HDFS While table ownership seems like a > useful construct to start with (at least to lay the groundwork for future > changes), making HBase act as table owners when interacting with HDFS would > require more changes. In additional, while HDFS file ownership would make > applying quotas easy, and possibly make bulk imports more straightforward, > it's not clean it would offer a more secure setup. We'll leave this to > evaluate in a later phase. > # HBase managed "roles" as collections of permissions We will not model > "roles" internally in HBase to begin with. We will instead allow group names > to be granted permissions, which will allow some external modeling of roles > via group memberships. Groups will be created and manipulated externally to > HBase. > While the assignment of permissions to roles and roles to users (or other > roles) allows a great deal of flexibility in security policy, it would add > complexity to the initial implementation. > After the initial implementation, which will appear on this issue, we will > evaluate the addition of role definitions internal to HBase in a new JIRA. In > this scheme, administrators could assign permissions specifying HDFS groups, > and additionally HBase roles. HBase roles would be created and manipulated > internally to HBase, and would appear distinct from HDFS groups via some > syntactic sugar. HBase role definitions will be allowed to reference other > HBase role definitions. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira