Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-18659 Use HDFS ACL to give user the ability to read snapshot directly on HDFS
  3. HBASE-21995

Add a coprocessor to set HDFS ACL for hbase granted user

    XMLWordPrintableJSON

Details

    • Hide
      Add a coprocessor to set HDFS acls to make hbase granted users with READ permission have the access to scan snapshots.
      To use this feature, please make sure the HDFS config is set:
      dfs.namenode.acls.enabled=true
      fs.permissions.umask-mode=027

      and set the HBase config:
      hbase.coprocessor.master.classes="org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclController"
      hbase.user.scan.snapshot.enable=true
      Show
      Add a coprocessor to set HDFS acls to make hbase granted users with READ permission have the access to scan snapshots. To use this feature, please make sure the HDFS config is set: dfs.namenode.acls.enabled=true fs.permissions.umask-mode=027 and set the HBase config: hbase.coprocessor.master.classes="org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclController" hbase.user.scan.snapshot.enable=true

    Description

      To make hbase granted user have the access to scan table snapshots, use HDFS ACLs to set user read permission over hfiles.
      The basic implementation is:
      1. For public directories such as 'data' and 'archive', set other users' permission to '--x' to make everyone have the permission to access the directory.
      2. For namespace or table directories such as 'data/ns/table', 'archive/ns/table' and '.hbase-snapshot/snapshotName', set user 'r-x' acl and default 'r-x' acl when following operations happen:
      grant to namespace or table / revoke from namespace or table / snapshot table

       

      For more details, please reference the design doc: https://docs.google.com/document/d/1D2iAdbrW5CcKc2SthJBXA1n2tTMTftuVaFtxbOWFuqM/edit#heading=h.uwo33s7kz427

      Attachments

        Issue Links

          is related to

          Sub-task - The sub-task of the issue HBASE-22625 documet use scan snapshot feature

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #163

          Activity

            People

              meiyi Yi Mei
              meiyi Yi Mei
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: