Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-19842

Cell ACLs v2



    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security
    • Labels:


      Per cell ACLs as currently implemented (HBASE-7662) embed the serialized ACL in a tag stored with each cell. This was done for performance. This has some drawbacks, most significantly unnecessary duplication and to grant or revoke requires a rewrite of every affected cell. We could implement them in a space efficient (and management efficient) way at the cost of some performance like so:

      First, allow storage of cell level ACLs in the ACL table. Rowkey would be a generic identifier of some kind that can be distinguished from existing rowkeys that associate the ACL with a cf, or table, or namespace. Existing code for cf/table/namespace ACLs should ignore rows that do not conform to today's keying strategy. 

      Then provide the option for storing the rowkey of an entry in the ACL table in the cell ACL tag instead of the complete serialization. Allocate a new cell tag ID to distinguish v2 ACL references from v1 embedded ACL serializations.

      The advantages would be reduction of unnecessary duplication, and, like ACLs at other granularities, a GRANT or REVOKE which updates the ACL table will update access control rules for all affected cells. The disadvantage would be in order to process the reference to the ACL for each cell with an ACL reference in a tag we will need to look up the ACL in the ACL table.


          Issue Links



              • Assignee:
                apurtell Andrew Kyle Purtell
              • Votes:
                0 Vote for this issue
                14 Start watching this issue


                • Created: