[ https://issues.apache.org/jira/browse/HBASE-16071?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15607878#comment-15607878 ]
ChiaPing Tsai commented on HBASE-16071: --------------------------------------- {quote} May be we need to consider version = Math.min(requestedMaxVersion , hcd.getMaxVersions()); {quote} The AccessControlFilter's max version should be equal with ScanWildcardColumnTracker’s max version. I mean doing this {noformat} int maxVersions = scan.isRaw() ? scan.getMaxVersions() : Math.min(scan.getMaxVersions(), scanInfo.getMaxVersions()); {noformat} If AccessControlFilter's max version is bigger than ScanWildcardColumnTracker’s max version, AccessControlFilter will authorize the unnecessary cell. Because the Filter#filterKeyValue(cell) is getting called before calling ColumnTracker#checkVersions. {code:title=UserScanQueryMatcher.java|borderStyle=solid} ReturnCode filterResponse = ReturnCode.SKIP; // STEP 2: Yes, the column is part of the requested columns. Check if filter is present if (filter != null) { // STEP 3: Filter the key value and return if it filters out filterResponse = filter.filterKeyValue(cell); switch (filterResponse) { case SKIP: return MatchCode.SKIP; case NEXT_COL: return columns.getNextRowOrNextColumn(cell); case NEXT_ROW: stickyNextRow = true; return MatchCode.SEEK_NEXT_ROW; case SEEK_NEXT_USING_HINT: return MatchCode.SEEK_NEXT_USING_HINT; default: // It means it is either include or include and seek next break; } } colChecker = columns.checkVersions(cell, timestamp, typeByte, false); {code} If AccessControlFilter's max version is smaller than ScanWildcardColumnTracker’s max version, AccessControlFilter will loss some cells. bq. But Filter#filterCell is getting called before applying deleted logic, expiry logic etc. (If the Filter#filterCell is the Filter#filterKeyValue) The RawScanQueryMatcher#match(cell) is shown below. {code:title=RawScanQueryMatcher.java|borderStyle=solid} @Override public MatchCode match(Cell cell) throws IOException { if (filter != null && filter.filterAllRemaining()) { return MatchCode.DONE_SCAN; } MatchCode returnCode = preCheck(cell); if (returnCode != null) { return returnCode; } // For a raw scan, we do not filter out any cells by delete marker, and delete marker is also // returned, so we do not need to track delete. return matchColumn(cell); } {code} The expiry logic is implemented in ScanQueryMatcher#preCheck. So Filter#filterKeyValue is getting called “after” applying expiry logic. And the RawScanQueryMatcher doesn’t apply any deleted logic. So it seems to me that the deleted logic and expiry logic are not problem. Sorry if I made any mistake, and thanks for your feedback. > The VisibilityLabelFilter and AccessControlFilter should not count the > "delete cell" > ------------------------------------------------------------------------------------ > > Key: HBASE-16071 > URL: https://issues.apache.org/jira/browse/HBASE-16071 > Project: HBase > Issue Type: Bug > Affects Versions: 2.0.0 > Reporter: ChiaPing Tsai > Assignee: ChiaPing Tsai > Priority: Minor > Fix For: 2.0.0, 1.4.0, 1.3.1 > > Attachments: HBASE-16071-v1.patch, HBASE-16071-v2.patch, > HBASE-16071-v3.patch > > > The VisibilityLabelFilter will see and count the "delete cell" if the > scan.isRaw() returns true, so the (put) cell will be skipped if it has lower > version than "delete cell" > The critical code is shown below: > {code:title=VisibilityLabelFilter.java|borderStyle=solid} > public ReturnCode filterKeyValue(Cell cell) throws IOException { > if (curFamily.getBytes() == null > || !(CellUtil.matchingFamily(cell, curFamily.getBytes(), > curFamily.getOffset(), > curFamily.getLength()))) { > curFamily.set(cell.getFamilyArray(), cell.getFamilyOffset(), > cell.getFamilyLength()); > // For this family, all the columns can have max of > curFamilyMaxVersions versions. No need to > // consider the older versions for visibility label check. > // Ideally this should have been done at a lower layer by HBase (?) > curFamilyMaxVersions = cfVsMaxVersions.get(curFamily); > // Family is changed. Just unset curQualifier. > curQualifier.unset(); > } > if (curQualifier.getBytes() == null > || !(CellUtil.matchingQualifier(cell, curQualifier.getBytes(), > curQualifier.getOffset(), > curQualifier.getLength()))) { > curQualifier.set(cell.getQualifierArray(), cell.getQualifierOffset(), > cell.getQualifierLength()); > curQualMetVersions = 0; > } > curQualMetVersions++; > if (curQualMetVersions > curFamilyMaxVersions) { > return ReturnCode.SKIP; > } > return this.expEvaluator.evaluate(cell) ? ReturnCode.INCLUDE : > ReturnCode.SKIP; > } > {code} > [VisibilityLabelFilter.java|https://github.com/apache/hbase/blob/d7a4499dfc8b3936a0eca867589fc2b23b597866/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelFilter.java] -- This message was sent by Atlassian JIRA (v6.3.4#6332)