Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-12087

[0.98] Changing the default setting of hbase.security.access.early_out to true

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 0.98.6
    • Fix Version/s: 0.98.7
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      Prior to 0.98.0 if a user was not granted access to a column family or partial access (qualifier grants), then the AccessController would immediately throw back an AccessDeniedException. This behavior was changed in 0.98.0. Instead, scanners will return result sets only including cells for which the user has access. If the user has no permissions on any cell then the scanner will return the empty result set. Code expecting an AccessDeniedException if the user has no access may not function as intended.

      This change introduces a configuration setting which restores the pre-0.98.0 behavior.

      If you would prefer the new behavior, this can be configured globally via site configuration or per table using HTableDescriptor#setConfiguration. The setting is AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT ("hbase.security.access.early_out"), a boolean. Set to "false" and scanners will return result sets only including cells for which the user has access without throwing an AccessDeniedException.
      Show
      Prior to 0.98.0 if a user was not granted access to a column family or partial access (qualifier grants), then the AccessController would immediately throw back an AccessDeniedException. This behavior was changed in 0.98.0. Instead, scanners will return result sets only including cells for which the user has access. If the user has no permissions on any cell then the scanner will return the empty result set. Code expecting an AccessDeniedException if the user has no access may not function as intended. This change introduces a configuration setting which restores the pre-0.98.0 behavior. If you would prefer the new behavior, this can be configured globally via site configuration or per table using HTableDescriptor#setConfiguration. The setting is AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT ("hbase.security.access.early_out"), a boolean. Set to "false" and scanners will return result sets only including cells for which the user has access without throwing an AccessDeniedException.

      Description

      From the mailing list conversation:
      Problem:

      • 98 with default early out = false and hfile v2 will always give the
        "Permission Denied" instead of the "0 rows" that you expect since the early
        out is false
      • 98 with default early out = false and hfile v3 will always give the "0
        rows"

        Attachments

        1. HBASE-12087.patch
          1.0 kB
          Srikanth Srungarapu
        2. HBASE-12087_v2.patch
          2 kB
          Srikanth Srungarapu

          Activity

            People

            • Assignee:
              srikanth235 Srikanth Srungarapu
              Reporter:
              srikanth235 Srikanth Srungarapu
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: