Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-20357

AccessControlClient API Enhancement

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0, 2.2.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      This enhances the AccessControlClient APIs to retrieve the permissions based on namespace, table name, family and qualifier for specific user. AccessControlClient can also validate a user whether allowed to perform specified operations on a particular table.
      Following APIs have been added,
      1) getUserPermissions(Connection connection, String tableRegex, byte[] columnFamily, byte[] columnQualifier, String userName)
      Scope of retrieving permission will be same as existing.
      2) hasPermission(onnection connection, String tableName, byte[] columnFamily, byte[] columnQualifier, String userName, Permission.Action... actions)
           Scope of validating user privilege,
                 User can perform self check without any special privilege but ADMIN privilege will be required to perform check for other users.
                 For example, suppose there are two users "userA" & "userB" then there can be below scenarios,
                  a. When userA want to check whether userA have privilege to perform mentioned actions
                       userA don't need ADMIN privilege, as it's a self query.
                  b. When userA want to check whether userB have privilege to perform mentioned actions,
                       userA must have ADMIN or superuser privilege, as it's trying to query for other user.
      Show
      This enhances the AccessControlClient APIs to retrieve the permissions based on namespace, table name, family and qualifier for specific user. AccessControlClient can also validate a user whether allowed to perform specified operations on a particular table. Following APIs have been added, 1) getUserPermissions(Connection connection, String tableRegex, byte[] columnFamily, byte[] columnQualifier, String userName) Scope of retrieving permission will be same as existing. 2) hasPermission(onnection connection, String tableName, byte[] columnFamily, byte[] columnQualifier, String userName, Permission.Action... actions)      Scope of validating user privilege,            User can perform self check without any special privilege but ADMIN privilege will be required to perform check for other users.            For example, suppose there are two users "userA" & "userB" then there can be below scenarios,             a. When userA want to check whether userA have privilege to perform mentioned actions                  userA don't need ADMIN privilege, as it's a self query.             b. When userA want to check whether userB have privilege to perform mentioned actions,                  userA must have ADMIN or superuser privilege, as it's trying to query for other user.

      Description

      Background:
      Currently HBase ACLs can be retrieved based on the namespace or table name only. There is no direct API available to retrieve the permissions based on the namespace, table name, column family and column qualifier for specific user.

      Client has to write application logic in multiple steps to retrieve ACLs based on table name, column name and column qualifier for specific user.
      HBase should enhance AccessControlClient APIs to simplyfy this.

      AccessControlClient API should be extended with following APIs,    

      1. To retrieve permissions based on the namespace, table name, column family and column qualifier for specific user.
         Permissions can be retrieved based on the following inputs,
              - Namespace/Table (already available)
              - Namespace/Table + UserName
              - Table + CF
              - Table + CF + UserName
              - Table + CF + CQ
              - Table + CF + CQ + UserName

                Scope of retrieving permission will be as follows,
                      - Same as existing

             2. To validate whether a user is allowed to perform specified operations on a particular table, will be useful to check user privilege instead of getting ACD during client                                    operation.
                  User validation can be performed based on following inputs,
                       - Table + CF + CQ + UserName + Actions

                  Scope of validating user privilege,
                         User can perform self check without any special privilege but ADMIN privilege will be required to perform check for other users.
                         For example, suppose there are two users "userA" & "userB" then there can be below scenarios,
                             - when userA want to check whether userA have privilege to perform mentioned actions
                                     > userA don't need ADMIN privilege, as it's a self query.

                             - when userA want to check whether userB have privilege to perform mentioned actions,
                                     > userA must have ADMIN or superuser privilege, as it's trying to query for other user.

        Attachments

        1. HBASE-20357.master.addendum.0.patch
          0.9 kB
          Pankaj Kumar
        2. HBASE-20357.master.003.patch
          109 kB
          Pankaj Kumar
        3. HBASE-20357.master.002.patch
          110 kB
          Pankaj Kumar
        4. HBASE-20357.master.001.patch
          101 kB
          Pankaj Kumar

          Activity

            People

            • Assignee:
              pankaj2461 Pankaj Kumar
              Reporter:
              pankaj2461 Pankaj Kumar
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: