[
https://issues.apache.org/jira/browse/HBASE-21995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16787657#comment-16787657
]
Yi Mei commented on HBASE-21995:
--------------------------------
Thanks for your comments.
To make this feature less nested in HBase original operations and configurable,
so we consider to add a master coprocessor to implement it. Since it's
configurable, we can decide whether to use this feature.
And acl operations may be much slower, but HBase users can scan table much
faster by scanning snapshots, and have less impact on the cluster's
availablity, it's very useful in our clusters.
> Add a coprocessor to set HDFS ACL for hbase granted user
> --------------------------------------------------------
>
> Key: HBASE-21995
> URL: https://issues.apache.org/jira/browse/HBASE-21995
> Project: HBase
> Issue Type: Sub-task
> Reporter: Yi Mei
> Priority: Major
>
> To make hbase granted user have the access to scan table snapshots, use HDFS
> ACLs to set user read permission over hfiles.
> The basic implementation is:
> 1. For public directories such as 'data' and 'archive', set other users'
> permission to '--x' to make everyone have the permission to access the
> directory.
> 2. For namespace or table directories such as 'data/ns/table',
> 'archive/ns/table' and '.hbase-snapshot/snapshotName', set user 'r-x' acl and
> default 'r-x' acl when following operations happen:
> grant to namespace or table / revoke from namespace or table / snapshot table
>
> For more details, please reference the design doc:
> https://docs.google.com/document/d/1D2iAdbrW5CcKc2SthJBXA1n2tTMTftuVaFtxbOWFuqM/edit#heading=h.uwo33s7kz427
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)