XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0, 2.3.0
    • Component/s: Coprocessors, security
    • Labels:
      None
    • Release Note:
      Hide
      Add a coprocessor to set HDFS acls to make hbase granted users with READ permission have the access to scan snapshots.
      To use this feature, please make sure the HDFS config is set:
      dfs.namenode.acls.enabled=true
      fs.permissions.umask-mode=027

      and set the HBase config:
      hbase.coprocessor.master.classes="org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclController"
      hbase.user.scan.snapshot.enable=true
      Show
      Add a coprocessor to set HDFS acls to make hbase granted users with READ permission have the access to scan snapshots. To use this feature, please make sure the HDFS config is set: dfs.namenode.acls.enabled=true fs.permissions.umask-mode=027 and set the HBase config: hbase.coprocessor.master.classes="org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclController" hbase.user.scan.snapshot.enable=true

      Description

      To make hbase granted user have the access to scan table snapshots, use HDFS ACLs to set user read permission over hfiles.
      The basic implementation is:
      1. For public directories such as 'data' and 'archive', set other users' permission to '--x' to make everyone have the permission to access the directory.
      2. For namespace or table directories such as 'data/ns/table', 'archive/ns/table' and '.hbase-snapshot/snapshotName', set user 'r-x' acl and default 'r-x' acl when following operations happen:
      grant to namespace or table / revoke from namespace or table / snapshot table

       

      For more details, please reference the design doc: https://docs.google.com/document/d/1D2iAdbrW5CcKc2SthJBXA1n2tTMTftuVaFtxbOWFuqM/edit#heading=h.uwo33s7kz427

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                meiyi Yi Mei
                Reporter:
                meiyi Yi Mei
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: