[HBASE-12745] Visibility Labels: support visibility labels for user groups. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0.0, 0.98.9, 0.99.2
Fix Version/s: 1.0.0, 0.98.10, 1.1.0
Component/s: security
Labels:
None

Hadoop Flags:

Reviewed
Release Note:

Hide
VisibilityClient API and shell commands can be used to grant and clear visibility authorizations of a group.
e.g.
set_auths '@group1', ['SECRET','PRIVATE']
get_auths '@group1'
clear_auths '@group1', ['SECRET','PRIVATE']

When checking visibility authorizations of a user, the server will include the visibility authorizations of the groups of which the user is a member, together with the user's own.

On the other hand, get_auths 'user1' will only get user1's own visibility authorizations.
clear_auths 'user1' will only clear user1's own visibility authorizations.
The visibility authorizations of a group can be changed by invoking the API or command on the '@group1' itself.

Note:

The following two methods have been deprecated in VisibilityLabelService from 0.98.10 and will be removed in 2.0+ releases.
getAuths(byte[], boolean)
havingSystemAuth(byte[])

Use the following methods instead:
getUserAuths(byte[], boolean)
getGroupAuths(String[], boolean)
havingSystemAuth(User)

Show
VisibilityClient API and shell commands can be used to grant and clear visibility authorizations of a group. e.g. set_auths '@group1', ['SECRET','PRIVATE'] get_auths '@group1' clear_auths '@group1', ['SECRET','PRIVATE'] When checking visibility authorizations of a user, the server will include the visibility authorizations of the groups of which the user is a member, together with the user's own. On the other hand, get_auths 'user1' will only get user1's own visibility authorizations. clear_auths 'user1' will only clear user1's own visibility authorizations. The visibility authorizations of a group can be changed by invoking the API or command on the '@group1' itself. Note: The following two methods have been deprecated in VisibilityLabelService from 0.98.10 and will be removed in 2.0+ releases. getAuths(byte[], boolean) havingSystemAuth(byte[]) Use the following methods instead: getUserAuths(byte[], boolean) getGroupAuths(String[], boolean) havingSystemAuth(User)

Description

The thinking is that we should support visibility labels to be associated with user groups.
We will then be able grant visibility labels to a group in addition to individual users, which provides convenience and usability.
We will use '@group' to denote a group name, as similarly done in AcccessController.
For example,

set_auths '@group1', ['SECRET','PRIVATE']

get_auth '@group1'

A user belonging to 'group1' will have all the visibility labels granted to 'group1'

We'll also support super user groups as specified in hbase-site.xml.

The code update will mainly be on the server side VisibilityLabelService implementation.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

hbase-12745_branch-1-addendum2.patch
26/Jan/15 15:43
3 kB
Anoop Sam John
hbase-12745_branch-1-addendum.patch
26/Jan/15 02:00
5 kB
Enis Soztutar
HBASE-12745-v7-0.98-with-update.patch
22/Jan/15 00:08
53 kB
Jerry He
HBASE-12745-v7-0.98.patch
18/Jan/15 06:04
52 kB
Jerry He
HBASE-12745-v7-branch1.patch
15/Jan/15 06:19
50 kB
Jerry He
HBASE-12745-master-v7.patch
15/Jan/15 06:19
50 kB
Jerry He
HBASE-12745-master-v6.patch
12/Jan/15 18:58
51 kB
Jerry He
HBASE-12745-master-v5.patch
12/Jan/15 01:31
50 kB
Jerry He
HBASE-12745-master-v4.patch
09/Jan/15 00:00
50 kB
Jerry He
HBASE-12745-master-v3.patch
05/Jan/15 21:57
51 kB
Jerry He
HBASE-12745-master-v2.patch
04/Jan/15 21:24
51 kB
Jerry He
HBASE-12745-master-v1.patch
23/Dec/14 03:31
37 kB
Jerry He

Sub-Tasks

Document visibility label support for groups

Closed

Jerry He

Activity

People

Assignee:: Jerry He

Reporter:: Jerry He

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 22/Dec/14 20:15

Updated:: 06/Apr/18 17:55

Resolved:: 26/Jan/15 01:08