Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-12470

Way to determine which labels are applied to a cell in a table

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 0.98.6.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      There is currently no way to determine which labels are applied to a cell without using the HFile tool to dump each HFile and then translating the output back to the hbase:labels table. This is quite tedious on larger tables. Since this could be a security risk perhaps we make it tunable with hbase.superuser.can.veiw.cells or something along those lines?

        Issue Links

          Activity

          Hide
          apurtell Andrew Purtell added a comment -

          Also the client should be determined to know whether it is really a legitmate user. A malicious client could claim to be a legitmate user and ask for a codec that could send across the tags. The server should be able to clearly identify such cases.

          That's why you'd negotiate codecs after kerberos authentication.

          Show
          apurtell Andrew Purtell added a comment - Also the client should be determined to know whether it is really a legitmate user. A malicious client could claim to be a legitmate user and ask for a codec that could send across the tags. The server should be able to clearly identify such cases. That's why you'd negotiate codecs after kerberos authentication.
          Hide
          ram_krish ramkrishna.s.vasudevan added a comment -

          Also the client should be determined to know whether it is really a legitmate user. A malicious client could claim to be a legitmate user and ask for a codec that could send across the tags. The server should be able to clearly identify such cases.

          Show
          ram_krish ramkrishna.s.vasudevan added a comment - Also the client should be determined to know whether it is really a legitmate user. A malicious client could claim to be a legitmate user and ask for a codec that could send across the tags. The server should be able to clearly identify such cases.
          Hide
          ram_krish ramkrishna.s.vasudevan added a comment -

          Yes, connection negotiation was the suggestion given in HBASE-12441 also.
          https://issues.apache.org/jira/browse/HBASE-12441?focusedCommentId=14201557&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14201557

          HBASE-9681 is the JIRA for connection negotiation. I have some patches that I worked on (Need to check it). The main problem is that for supporting this negotiation we may have to introduce a two way handshake mechanism and that may have BC issues with clients and servers with/without this negotiation support.

          Show
          ram_krish ramkrishna.s.vasudevan added a comment - Yes, connection negotiation was the suggestion given in HBASE-12441 also. https://issues.apache.org/jira/browse/HBASE-12441?focusedCommentId=14201557&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14201557 HBASE-9681 is the JIRA for connection negotiation. I have some patches that I worked on (Need to check it). The main problem is that for supporting this negotiation we may have to introduce a two way handshake mechanism and that may have BC issues with clients and servers with/without this negotiation support.
          Hide
          anoop.hbase Anoop Sam John added a comment -

          Agree with Andy.
          Per connection codec usage is the best solution. Copy/export table issue also can get solved then.

          Show
          anoop.hbase Anoop Sam John added a comment - Agree with Andy. Per connection codec usage is the best solution. Copy/export table issue also can get solved then.
          Hide
          apurtell Andrew Purtell added a comment - - edited

          This is also an issue for cell ACLs.

          As Anoop mentioned we strip security tags in the RPC layer so we don't leak sensitive information to users, untrusted or otherwise. We can vary the codec but only globally by configuration.

          In the run up to 0.98.0, while we were still at 0.97-SNAPSHOT, I proposed a couple of variations on per connection codec negotiation that didn't go anywhere on account of lack of time, interest, and community will. Per-connection negotiation is probably the best answer here. Might be worth it for you to reconsider the idea. After we authenticate a user as privileged (we can start with beloging to the superuser group) we could use the RPC codec which does not strip security tags, thus giving higher level APIs / policy monitoring / policy validation tools direct access to cell tags, and therefore ACL and visibility label metadata stored with them. This requires the ability to swap RPC codecs on a per connection basis, after the authorization handshake, so some sort of negotiation...

          Show
          apurtell Andrew Purtell added a comment - - edited This is also an issue for cell ACLs. As Anoop mentioned we strip security tags in the RPC layer so we don't leak sensitive information to users, untrusted or otherwise. We can vary the codec but only globally by configuration. In the run up to 0.98.0, while we were still at 0.97-SNAPSHOT, I proposed a couple of variations on per connection codec negotiation that didn't go anywhere on account of lack of time, interest, and community will. Per-connection negotiation is probably the best answer here. Might be worth it for you to reconsider the idea. After we authenticate a user as privileged (we can start with beloging to the superuser group) we could use the RPC codec which does not strip security tags, thus giving higher level APIs / policy monitoring / policy validation tools direct access to cell tags, and therefore ACL and visibility label metadata stored with them. This requires the ability to swap RPC codecs on a per connection basis, after the authorization handshake, so some sort of negotiation...
          Hide
          jinghe Jerry He added a comment -

          Yes, after going thru your original HBASE-10322, We need to give some thoughts.

          Show
          jinghe Jerry He added a comment - Yes, after going thru your original HBASE-10322 , We need to give some thoughts.
          Hide
          anoop.hbase Anoop Sam John added a comment -

          We could use client scan result to contain the labels. Maybe with hbase superuser and upon user's request by setting an attribute in the client scan?

          We have to use different Codec at RPC then. That is the difficult part of the change.

          Show
          anoop.hbase Anoop Sam John added a comment - We could use client scan result to contain the labels. Maybe with hbase superuser and upon user's request by setting an attribute in the client scan? We have to use different Codec at RPC then. That is the difficult part of the change.
          Hide
          jinghe Jerry He added a comment -

          This can be seen as to be related to HBASE-12441.
          We could use client scan result to contain the labels. Maybe with hbase superuser and upon user's request by setting an attribute in the client scan?

          Show
          jinghe Jerry He added a comment - This can be seen as to be related to HBASE-12441 . We could use client scan result to contain the labels. Maybe with hbase superuser and upon user's request by setting an attribute in the client scan?

            People

            • Assignee:
              Unassigned
              Reporter:
              kevin.odell Kevin Odell
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:

                Development