Attached patch provides an alternate operating mode, which can be optionally enabled, that provides some simple user isolation. When enabled, access tokens must be added as the first element to the path.
An access token is a 32 character hexadecimal string. They can be generated using any method but typically one would use MD5 to hash the username with salt.
For example, where before a value may be accessed as:
with multiuser mode enabled, it would be:
Access tokens map to user accounts. This mapping is done by pluggable authenticators. Three authenticators are provided which support defining user accounts via 1) hbase-site.xml, 2) entries in a HBase table, or 3) entries in any data source with a JDBC driver, respectively. User accounts can have administrative privilege. They can also be temporarily disabled.
If a user account has administrative privilege, table names given in the path are not modified.
If a user account does not have administrative privilege, the typical case, then table names given in the path or in submitted data is transparently rewritten from <table> to <user-name> + "." + <table>, and vice versa. In this way each user has the illusion of a private namespace and one user cannot access the tables of another.