Details
-
New Feature
-
Status: Closed
-
Minor
-
Resolution: Won't Fix
-
None
-
None
-
None
Description
For some sensitive data, users want to restrict the from ips of hbase users like mysql access control.
One direct solution is to add the candidated ips when granting user permisions.
grant <user|@group[@ip-regular expression]> [ <table> [ <column family> [ <column qualifier> ] ] ]
Any comments and suggestions are welcomed.
apurtell
Attachments
Attachments
Issue Links
- is part of
-
HBASE-7123 Refactor internal methods in AccessController
- Closed
I've thought about this some. We could build a service authorization engine supporting fine grained decisionmaking using attributes such as client IP address (surely the first of many), but consider:
First, Hadoop already has a nascient service authorization framework, see https://hadoop.apache.org/docs/r2.2.0/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html At least when our secure RPC was first committed we picked up support for service authorization for all of our RPC protocols from the Hadoop libraries. The current Hadoop code does not support IP filtering but it could.
Second, even if we build our own fine grained service authorization, will Hadoop someday introduce the same facilities? There is HADOOP-9466. Incubating projects like Apache Sentry are also working toward this kind of capability.
Third, see
HBASE-7123andHBASE-7254. To the extent that technical debt should be paid down in the AccessController, we should factor that in. permissionGranted and the like are where you'd start with today's code to implement restrictions by IP address.