Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-11070 [AccessController] Restore early-out access denial if the user has no access at the table or CF level
  3. HBASE-11077

[AccessController] Restore compatible early-out access denial

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • None
    • 0.99.0, 0.98.2
    • None
    • None
    • Incompatible change, Reviewed
    • Hide
      Prior to 0.98.0 if a user was not granted access to a column family or partial access (qualifier grants), then the AccessController would immediately throw back an AccessDeniedException. This behavior was changed in 0.98.0 to allow cell level ACLs to grant exceptional access. The user will no longer see an exception; instead the scanner will return result sets only including cells which grant exceptional access. If no such cell level grants are made, then the scanner will return the empty result set.

      This change introduces a configuration setting which restores the pre-0.98.0 behavior. It can be set in the site file for global effect, or per table using HTableDescriptor#setConfiguration. This setting is AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT ("hbase.security.access.early_out"), a boolean. Set to "true" for backwards compatible behavior. As a consequence if there are no grants at the CF level then an AccessDeniedException will be thrown immediately, and cell ACLs will be ignored, unless the cell-first ACL evaluation strategy is used (toggled via Query#setACLStrategy).

      This change also repairs a defect related to audit logging. In all cases, compatible behavior or not, indications of successful or failed access attempts will be logged.
      Show
      Prior to 0.98.0 if a user was not granted access to a column family or partial access (qualifier grants), then the AccessController would immediately throw back an AccessDeniedException. This behavior was changed in 0.98.0 to allow cell level ACLs to grant exceptional access. The user will no longer see an exception; instead the scanner will return result sets only including cells which grant exceptional access. If no such cell level grants are made, then the scanner will return the empty result set. This change introduces a configuration setting which restores the pre-0.98.0 behavior. It can be set in the site file for global effect, or per table using HTableDescriptor#setConfiguration. This setting is AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT ("hbase.security.access.early_out"), a boolean. Set to "true" for backwards compatible behavior. As a consequence if there are no grants at the CF level then an AccessDeniedException will be thrown immediately, and cell ACLs will be ignored, unless the cell-first ACL evaluation strategy is used (toggled via Query#setACLStrategy). This change also repairs a defect related to audit logging. In all cases, compatible behavior or not, indications of successful or failed access attempts will be logged.

    Description

      See parent for the whole story.

      For 0.98, to start, just put back the early out that was removed in 0.98.0 and allow it to be overridden with a table attribute.

      Attachments

        1. HBASE-11077-0.98.patch
          92 kB
          Andrew Kyle Purtell
        2. HBASE-11077.patch
          65 kB
          Andrew Kyle Purtell
        3. HBASE-11077.patch
          65 kB
          Andrew Kyle Purtell
        4. HBASE-11077.patch
          93 kB
          Andrew Kyle Purtell
        5. HBASE-11077.patch
          92 kB
          Andrew Kyle Purtell
        6. HBASE-11077.patch
          91 kB
          Andrew Kyle Purtell

        Activity

          People

            apurtell Andrew Kyle Purtell
            apurtell Andrew Kyle Purtell
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: