[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13826849#comment-13826849 ] Hudson commented on HBASE-7663: --- SUCCESS: Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #844 (See [https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/844/]) HBASE-7663 [Per-KV security] Visibility labels (anoopsamjohn: rev 1543314) * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Get.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Mutation.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Query.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Scan.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/Authorizations.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/CellVisibility.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/InvalidLabelException.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/LabelAlreadyExistsException.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityClient.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsValidator.java * /hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/util/StreamUtils.java * /hbase/trunk/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/ClientProtos.java * /hbase/trunk/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/VisibilityLabelsProtos.java * /hbase/trunk/hbase-protocol/src/main/protobuf/Client.proto * /hbase/trunk/hbase-protocol/src/main/protobuf/VisibilityLabels.proto * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ExpressionExpander.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ExpressionParser.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ParseException.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ScanLabelGenerator.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/SimpleScanLabelGenerator.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelFilter.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityUtils.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ZKVisibilityLabelWatcher.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/expression * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/expression/ExpressionNode.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/expression/LeafExpressionNode.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/expression/NonLeafExpressionNode.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/expression/Operator.java * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestExpressionExpander.java * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestExpressionParser.java * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabels.java * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsOpWithDifferentUsersNoACL.java * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java * /hbase/trunk/hbase-shell/src/main/ruby/hbase.rb * /hbase/trunk/hbase-shell/src/main/ruby/hbase/hbase.rb * /hbase/trunk/hbase-shell/src/main/ruby/hbase/visibility_labels.rb * /hbase/trunk/hbase-shell/src/main/rub
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13826327#comment-13826327 ] Hudson commented on HBASE-7663: --- SUCCESS: Integrated in HBase-TRUNK #4687 (See [https://builds.apache.org/job/HBase-TRUNK/4687/]) HBASE-7663 [Per-KV security] Visibility labels (anoopsamjohn: rev 1543314) * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Get.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Mutation.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Query.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Scan.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ProtobufUtil.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/Authorizations.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/CellVisibility.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/InvalidLabelException.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/LabelAlreadyExistsException.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityClient.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java * /hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsValidator.java * /hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/util/StreamUtils.java * /hbase/trunk/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/ClientProtos.java * /hbase/trunk/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/VisibilityLabelsProtos.java * /hbase/trunk/hbase-protocol/src/main/protobuf/Client.proto * /hbase/trunk/hbase-protocol/src/main/protobuf/VisibilityLabels.proto * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ExpressionExpander.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ExpressionParser.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ParseException.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ScanLabelGenerator.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/SimpleScanLabelGenerator.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelFilter.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityUtils.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/ZKVisibilityLabelWatcher.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/expression * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/expression/ExpressionNode.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/expression/LeafExpressionNode.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/expression/NonLeafExpressionNode.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/expression/Operator.java * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestExpressionExpander.java * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestExpressionParser.java * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabels.java * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsOpWithDifferentUsersNoACL.java * /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java * /hbase/trunk/hbase-shell/src/main/ruby/hbase.rb * /hbase/trunk/hbase-shell/src/main/ruby/hbase/hbase.rb * /hbase/trunk/hbase-shell/src/main/ruby/hbase/visibility_labels.rb * /hbase/trunk/hbase-shell/src/main/ruby/shell.rb * /hbase/trunk/hbas
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13826218#comment-13826218 ] Anoop Sam John commented on HBASE-7663: --- Committed to Trunk.. Thanks to Ram for pairing with me in this implementation. Thanks to Andrew for his suggestions, discussions, and reviews. Thanks to Stack for his detailed review and comments. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch, HBASE-7663_V7.patch, HBASE-7663_V8.patch, > HBASE-7663_V9.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13825183#comment-13825183 ] Hadoop QA commented on HBASE-7663: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12614342/HBASE-7663_V9.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 15 new or modified tests. {color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop 1.0 profile. {color:green}+1 hadoop2.0{color}. The patch compiles against the hadoop 2.0 profile. {color:red}-1 javadoc{color}. The javadoc tool appears to have generated 10 warning messages. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 lineLengths{color}. The patch does not introduce lines longer than 100 {color:red}-1 site{color}. The patch appears to cause mvn site goal to fail. {color:green}+1 core tests{color}. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7910//console This message is automatically generated. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch, HBASE-7663_V7.patch, HBASE-7663_V8.patch, > HBASE-7663_V9.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13824759#comment-13824759 ] stack commented on HBASE-7663: -- I skimmed diffs since my review. Seems good to me. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch, HBASE-7663_V7.patch, HBASE-7663_V8.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13824758#comment-13824758 ] Anoop Sam John commented on HBASE-7663: --- Will commit tomorrow unless objections > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch, HBASE-7663_V7.patch, HBASE-7663_V8.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13823896#comment-13823896 ] Andrew Purtell commented on HBASE-7663: --- Still +1 after rebase. If you are waiting further [~anoop.hbase] can you extract the new base class for Get and Scan into a separate patch and commit it so I can update HBASE-7662? > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch, HBASE-7663_V7.patch, HBASE-7663_V8.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13822253#comment-13822253 ] Hadoop QA commented on HBASE-7663: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12613788/HBASE-7663_V8.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 10 new or modified tests. {color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop 1.0 profile. {color:green}+1 hadoop2.0{color}. The patch compiles against the hadoop 2.0 profile. {color:red}-1 javadoc{color}. The javadoc tool appears to have generated 2 warning messages. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 lineLengths{color}. The patch does not introduce lines longer than 100 {color:red}-1 site{color}. The patch appears to cause mvn site goal to fail. {color:green}+1 core tests{color}. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7857//console This message is automatically generated. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch, HBASE-7663_V7.patch, HBASE-7663_V8.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13820950#comment-13820950 ] Anoop Sam John commented on HBASE-7663: --- Trunk is changed with tagsIterator() moving from KV. Will rebase and give a patch soon. Also need HBASE-9962 in. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch, HBASE-7663_V7.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13820536#comment-13820536 ] Andrew Purtell commented on HBASE-7663: --- +1 v7 patch, looks good > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch, HBASE-7663_V7.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13820450#comment-13820450 ] Hadoop QA commented on HBASE-7663: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12613323/HBASE-7663_V7.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 10 new or modified tests. {color:red}-1 hadoop1.0{color}. The patch failed to compile against the hadoop 1.0 profile. Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7822//console This message is automatically generated. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch, HBASE-7663_V7.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13818725#comment-13818725 ] ramkrishna.s.vasudevan commented on HBASE-7663: --- +1. For now can move authorizations and acl things into that super class. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13818724#comment-13818724 ] Anoop Sam John commented on HBASE-7663: --- +1 for having a base class like Mutation. +1 for the name Query. There are many setter and getters which are common for Scan and Get, like setFilter, setTimeRange, setTimeStamp etc. All these setters are returning current object for chained call. So moving these to its base class will change the signature! New methods for Authorizations and acl can be in super class. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13815107#comment-13815107 ] Andrew Purtell commented on HBASE-7663: --- bq. Should we have an Interface that is other-than-Mutation that Scan and Get implement (and Increment i suppose since it retturns a value)? I have the same issue over on the cell ACL patch, I need to duplicate these convenience getters and setters in Get, Mutation, and Scan. It would be good to have a common interface or base class for Scan and Get, maybe 'Query' (for symmetry with Mutation)? I have fun in places receiving OperationWithAttributes and then downcasting, that would go away. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13815075#comment-13815075 ] stack commented on HBASE-7663: -- Skimming the patch... Should setAuthorizations and getAuthorizations be pushed up to the super class or do they only apply to certain 'types' -- like setCellVisibility and getCellVisibility. Or seems like they are for Get and Scan only. Should we have an Interface that is other-than-Mutation that Scan and Get implement (and Increment i suppose since it retturns a value)? We'd add these methods there? An illegal operation is different to an AccessDeniedE? It is not necessarily of the security realm? Does CellVisibility need a class comment? Or maybe it is ok given it is in the visibility package and it is called CellVisibility (no need to be pedantic) Ok... let me go look at your responses up on RB now.. I realize I did not go back to them. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13814665#comment-13814665 ] Hadoop QA commented on HBASE-7663: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12612320/HBASE-7663_V6.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 10 new or modified tests. {color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop 1.0 profile. {color:green}+1 hadoop2.0{color}. The patch compiles against the hadoop 2.0 profile. {color:red}-1 javadoc{color}. The javadoc tool appears to have generated 1 warning messages. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:red}-1 findbugs{color}. The patch appears to introduce 6 new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 lineLengths{color}. The patch does not introduce lines longer than 100 {color:red}-1 site{color}. The patch appears to cause mvn site goal to fail. {color:green}+1 core tests{color}. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7744//console This message is automatically generated. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch, > HBASE-7663_V6.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13813021#comment-13813021 ] Andrew Purtell commented on HBASE-7663: --- Carrying over a discussion from RB: {quote} If the latest KV was skipped due to a label mismatch the previous KV was getting included. May be we can check for the same in ACLs too? we can come up with a common soln. {quote} This is correct behavior. Cell permissions are a part of the HBase data model, not separate from it. If you want to hide/overwrite all previous versions of a cell then you have to lay down a delete marker and then a new value with a later timestamp. If you want only one version of a cell with the latest visibility or ACL, then it's the same. This is easy to reason about. We say all policies apply at the point in time when the value is stored. This allows easy policy evolution over time. If a user does not have permission or visibility to read the current value, but did have permission or visibility to read the previous version, then they should still see the previous version, because the policy that allowed the user to read the previous version was in effect at that time. This does make increments and appends interesting but otherwise we are special casing how permissions work relative the rest of the HBase model. We should document this stuff carefully. If delete-then-put (or read-delete-put) is inconvenient (I think it is explicit) then we can consider adding a DeleteAndPut op or similar. Actually that would also address open JIRAs regarding deletes and puts with the same timestamp. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13812128#comment-13812128 ] Hadoop QA commented on HBASE-7663: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12611779/HBASE-7663_V5.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 10 new or modified tests. {color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop 1.0 profile. {color:green}+1 hadoop2.0{color}. The patch compiles against the hadoop 2.0 profile. {color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:red}-1 findbugs{color}. The patch appears to introduce 4 new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 lineLengths{color}. The patch does not introduce lines longer than 100 {color:red}-1 site{color}. The patch appears to cause mvn site goal to fail. {color:green}+1 core tests{color}. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7713//console This message is automatically generated. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch, HBASE-7663_V5.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13811959#comment-13811959 ] Hadoop QA commented on HBASE-7663: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12611752/HBASE-7663_V4.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 10 new or modified tests. {color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop 1.0 profile. {color:green}+1 hadoop2.0{color}. The patch compiles against the hadoop 2.0 profile. {color:red}-1 javadoc{color}. The javadoc tool appears to have generated 13 warning messages. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:red}-1 findbugs{color}. The patch appears to introduce 5 new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 lineLengths{color}. The patch does not introduce lines longer than 100 {color:red}-1 site{color}. The patch appears to cause mvn site goal to fail. {color:red}-1 core tests{color}. The patch failed these unit tests: org.apache.hadoop.hbase.security.visibility.TestVisibilityLabelsWithACL org.apache.hadoop.hbase.security.visibility.TestVisibilityLabels Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7711//console This message is automatically generated. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Fix For: 0.98.0 > > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch, HBASE-7663_V4.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13808011#comment-13808011 ] Andrew Purtell commented on HBASE-7663: --- V3 patch is looking pretty good Anoop. Debug logging should be wrapped in if (LOG.isDebugEnabled()) conditionals. Could use an integration test. Can be follow on work, like HBASE-9846. If ParseException is going to be thrown back to clients, it should be in hbase-client. In VisibilityController you have this TODO: {code} TODO this can be made as a global LRU cache at HRS level? {code} Could be follow on work but I guess there will be another patch here soon that contains one? In VisibilityController#preScannerOpen there is this empty conditional: {code} if (region.getRegionInfo().getTable().isSystemTable()) { } {code} What is supposed to happen here? "getSyetmAndSuperUsers" is misspelled. In ZKVisibilityLabelWatcher should we be calling sync() on the ZK handle to insure we are up to date? Should we look at javaEWAH instead of BitSet? Consider unit test coverage for the new labels commands, I guess somewhere in the visibility unit tests since they require the CP to be installed. The VisibilityController init code assumes if the AccessController is loaded it will be the first in the chain. Should we rely on that? > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13807718#comment-13807718 ] Anoop Sam John commented on HBASE-7663: --- Visibility Label admin operations Labels can be added to the system using VisibilityClient#addLabels(). Also can use add_labels shell command Only super user (hbase.superuse) have permission to add the labels into the system. A set of labels can be associated for a user using setAuths. [VisibilityClient#setAuths()] Similarly labels can be removed from user auths using clearAuths. getAuths API can be used to view user auths. Also there is support for set_auths, clear_auths and get_auths shell commands Same way as in addLabels only super user have permission for these operations. When AccessController is ON the permission checks are handled by AC. Using AC along with Visibility is optional. When AC is not available, permission checks are done at VisibilityController level itself. > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Attachments: HBASE-7663.patch, HBASE-7663_V2.patch, > HBASE-7663_V3.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13797759#comment-13797759 ] Anoop Sam John commented on HBASE-7663: --- https://reviews.apache.org/r/14709/ > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Attachments: HBASE-7663.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-7663) [Per-KV security] Visibility labels
[ https://issues.apache.org/jira/browse/HBASE-7663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13797755#comment-13797755 ] Anoop Sam John commented on HBASE-7663: --- VisibilityController CP handles the visibility The visibility labels are stored as tags with KVs Use put.setCellVisibility(new CellVisibility()); to add visibility expressions to cells The label expression can contain visibility labels joined with logical expressions &, | and !. Also using (, ) one can specify the precedence order Eg : SECRET & CONFIDENTIAL & !PUBLIC During read, (Scan/Get) one can specify labels associated with that, in Authorizations scan.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL)); > [Per-KV security] Visibility labels > --- > > Key: HBASE-7663 > URL: https://issues.apache.org/jira/browse/HBASE-7663 > Project: HBase > Issue Type: Sub-task > Components: Coprocessors, security >Affects Versions: 0.98.0 >Reporter: Andrew Purtell >Assignee: Anoop Sam John > Attachments: HBASE-7663.patch > > > Implement Accumulo-style visibility labels. Consider the following design > principles: > - Coprocessor based implementation > - Minimal to no changes to core code > - Use KeyValue tags (HBASE-7448) to carry labels > - Use OperationWithAttributes# {get,set}Attribute for handling visibility > labels in the API > - Implement a new filter for evaluating visibility labels as KVs are streamed > through. > This approach would be consistent in deployment and API details with other > per-KV security work, supporting environments where they might be both be > employed, even stacked on some tables. > See the parent issue for more discussion. -- This message was sent by Atlassian JIRA (v6.1#6144)