[jira] [Commented] (HBASE-18659) Use HDFS ACL to give user the ability to read snapshot directly on HDFS

Wed, 23 Aug 2017 12:05:27 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-18659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16138891#comment-16138891
 ] 

Andrew Purtell commented on HBASE-18659:
----------------------------------------

You can't do this only at the table level. ACLs can be applied at namespace, 
table,  column family levels, and also *per-cell*. 

Setting aside cell ACLs as a special case, the AccessController has logic that 
walks the hierarchy namespace -> table -> CF when doing permissions checks. 
HDFS doesn't do this. Therefore all HDFS level ACLs must operate at the 
smallest granularity, which is CF. 

Setting HDFS level permissions on the CF which do not factor into account per 
cell ACLs will break access to those cells granted special access. That said, 
as an incompatible change for HBase 3, we can remove cell ACLs. Or, it could be 
adequate to just document that scanning snapshots directly on HDFS is 
incompatible with cell ACLs, so cell ACLs would be ignored. 

> Use HDFS ACL to give user the ability to read snapshot directly on HDFS
> -----------------------------------------------------------------------
>
>                 Key: HBASE-18659
>                 URL: https://issues.apache.org/jira/browse/HBASE-18659
>             Project: HBase
>          Issue Type: New Feature
>            Reporter: Duo Zhang
>
> On the dev meetup notes in Shenzhen after HBaseCon Asia, there is a topic 
> about the permission to read hfiles on HDFS directly.
> {quote}
> For client-side scanner going against hfiles directly; is there a means of 
> being able to pass the permissions from hbase to hdfs?
> {quote}
> And at Xiaomi we also face the same problem. {{SnapshotScanner}} is much 
> faster and consumes less resources, but only super use has the ability to 
> read hfile directly on HDFS.
> So here we want to use HDFS ACL to address this problem.
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#ACLs_File_System_API
> The basic idea is to set acl and default on the table directory on HDFS for 
> the users who have the permission to read the table on HBase.
> Suggestions are welcomed.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to