Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-21591

Support ability to have host based permissions



    • Type: Improvement
    • Status: Open
    • Priority: Trivial
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security
    • Labels:


      Today, one can put in an ACL rule where a user is not permitted to read data but can insert data (e.g. grant 'user', 'table', 'W'). However, one can not implement HBase as a "drop-box" for data where by in a secure network, one can read and write data but outside that secure network one can only write data; and I do not believe this is possible with custom access controllers, unless one "wraps" HBase; e.g. with the HBase REST server.

      I have been pushing for this model (e.g. Of Data Dropboxes and Data Gloveboxes or slides) in a number of technologies for some data compartmentalization initiatives.

      I propose passing the requester's host information through the HBase authentication stack so that the ACL model in HBase can work akin to the SQL semantics of user@host or user@<anywhere>.The expected impact would be to HBase private interfaces only, so far in POC'ing it seems the following would be impacted:

      Access Control Classes/ACL Table Management:

      • AccessControlUtil
      • UserPermission
      • AccessChecker
      • AccessControlFilter
      • AccessController
      • AuthResult
      • TableAuthManager
      • AccessControl.proto

      Co-Processor APIs for Checking Authentication:

      • CoprocessorHost
      • ObserverContext
      • ObserverContextImpl
      • RSRpcServices
      • RSGroupAdminEndpoint




            • Assignee:
              clayb Clay B.
              clayb Clay B.
            • Votes:
              0 Vote for this issue
              6 Start watching this issue


              • Created: