[HBASE-6104] Require EXEC permission to call coprocessor endpoints - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.98.0, 0.99.0
Component/s: Coprocessors, security
Labels:
None

Hadoop Flags:

Reviewed
Release Note:

Hide
If access control is active (the AccessController coprocessor is installed either as a system coprocessor or on a table as a table coprocessor) and the "hbase.security.exec.permission.checks" configuration setting is "true", then you must now grant all relevant users EXEC privilege if they require the ability to execute coprocessor endpoint calls. EXEC privilege, like any other permission, can be granted globally to a user, or to a user on a per table or per namespace basis. For more information on coprocessor endpoints, see the coprocessor section of the HBase online manual. For more information on granting or revoking permissions using the AccessController, see the security section of the HBase online manual.

Show
If access control is active (the AccessController coprocessor is installed either as a system coprocessor or on a table as a table coprocessor) and the "hbase.security.exec.permission.checks" configuration setting is "true", then you must now grant all relevant users EXEC privilege if they require the ability to execute coprocessor endpoint calls. EXEC privilege, like any other permission, can be granted globally to a user, or to a user on a per table or per namespace basis. For more information on coprocessor endpoints, see the coprocessor section of the HBase online manual. For more information on granting or revoking permissions using the AccessController, see the security section of the HBase online manual.

Description

The EXEC action currently exists as only a placeholder in access control. It should really be used to enforce access to coprocessor endpoint RPC calls, which are currently unrestricted.

How the ACLs to support this would be modeled deserves some discussion:

Should access be scoped to a specific table and CoprocessorProtocol extension?
Should it be possible to grant access to a CoprocessorProtocol implementation globally (regardless of table)?
Are per-method restrictions necessary?
Should we expose hooks available to endpoint implementors so that they could additionally apply their own permission checks? Some CP endpoints may want to require READ permissions, others may want to enforce WRITE, or READ + WRITE.

To apply these kinds of checks we would also have to extend the RegionObserver interface to provide hooks wrapping HRegion.exec().

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

6104.patch
20/Dec/13 22:06
8 kB
Andrew Kyle Purtell
6104.patch
21/Dec/13 01:43
9 kB
Andrew Kyle Purtell
6104.patch
23/Dec/13 01:43
16 kB
Andrew Kyle Purtell
6104.patch
23/Dec/13 03:41
19 kB
Andrew Kyle Purtell
6104.patch
23/Dec/13 09:19
20 kB
Andrew Kyle Purtell
6104-addendum-1.patch
26/Dec/13 04:19
0.8 kB
Andrew Kyle Purtell
6104-revert.patch
26/Dec/13 04:47
19 kB
Andrew Kyle Purtell
6104.patch
26/Dec/13 22:55
19 kB
Andrew Kyle Purtell
6104.patch
06/Jan/14 22:16
23 kB
Andrew Kyle Purtell

Issue Links

is blocked by

HBASE-10226 [AccessController] Namespace grants not always checked

Closed

HBASE-10239 Improve determinism and debugability of TestAccessController

Closed

Activity

People

Assignee:: Andrew Kyle Purtell

Reporter:: Gary Helmling

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 25/May/12 19:44

Updated:: 21/Feb/15 23:33

Resolved:: 07/Jan/14 01:23