[
https://issues.apache.org/jira/browse/HBASE-5498?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13291182#comment-13291182
]
Zhihong Ted Yu commented on HBASE-5498:
---------------------------------------
{code}
+ * @param familyPaths list of family names to store files adding
+ * or removing from this list will add or remove HFiles to be bulk loaded.
{code}
Add a period between files and adding. Capitalize 'a' of adding.
{code}
+ for(Pair<byte[], String> el: familyPaths)
+ families.add(el.getFirst());
{code}
Space between for and (, el and colon. families.add() should be put on the same
line as for.
{code}
-class StoreFileScanner implements KeyValueScanner {
+public class StoreFileScanner implements KeyValueScanner {
{code}
I don't see StoreFileScanner accessed in AccessController. So the above change
is not needed.
{code}
+ //TODO make this configurable
+ //two levels so it doesn't get deleted accidentally
+ //no sticky bit in Hadoop 1.0
+ private Path stagingDir = new Path("/tmp/hbase-staging");
{code}
I think the path should be configurable.
{code}
+ private User getActiveUser() throws IOException {
+ User user = RequestContext.getRequestUser();
+ if (!RequestContext.isInRequestContext()) {
{code}
if statement can be lifted above assignment.
{code}
+public interface SecureBulkLoadProtocol extends CoprocessorProtocol {
{code}
Add javadoc for the protocol.
> Secure Bulk Load
> ----------------
>
> Key: HBASE-5498
> URL: https://issues.apache.org/jira/browse/HBASE-5498
> Project: HBase
> Issue Type: Improvement
> Components: mapred, security
> Reporter: Francis Liu
> Attachments: HBASE-5498_draft.patch
>
>
> Design doc:
> https://cwiki.apache.org/confluence/display/HCATALOG/HBase+Secure+Bulk+Load
> Short summary:
> Security as it stands does not cover the bulkLoadHFiles() feature. Users
> calling this method will bypass ACLs. Also loading is made more cumbersome in
> a secure setting because of hdfs privileges. bulkLoadHFiles() moves the data
> from user's directory to the hbase directory, which would require certain
> write access privileges set.
> Our solution is to create a coprocessor which makes use of AuthManager to
> verify if a user has write access to the table. If so, launches a MR job as
> the hbase user to do the importing (ie rewrite from text to hfiles). One
> tricky part this job will have to do is impersonate the calling user when
> reading the input files. We can do this by expecting the user to pass an hdfs
> delegation token as part of the secureBulkLoad() coprocessor call and extend
> an inputformat to make use of that token. The output is written to a
> temporary directory accessible only by hbase and then bulkloadHFiles() is
> called.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
