[HBASE-3045] Extend HBASE-3025 into a role based access control model using "HBase groups" - ASF JIRA

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Later
Affects Version/s: None
Fix Version/s: None
Component/s: security
Labels:
None

Issue Links

depends upon

HBASE-3025 Coprocessor based simple access control

Closed

is related to

HBASE-6098 ACL design changes

Resolved

HBASE-6096 AccessController v2

Resolved

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Todd Lipcon added a comment - 28/Sep/10 18:14

Can you clarify the purpose and management of HBase groups as distinct entities from HDFS groups?

It seems to me we would like to use the same GroupMappingService interface that HDFS uses, so that by default the groups match up between the systems.

Show

Todd Lipcon added a comment - 28/Sep/10 18:14 Can you clarify the purpose and management of HBase groups as distinct entities from HDFS groups? It seems to me we would like to use the same GroupMappingService interface that HDFS uses, so that by default the groups match up between the systems.

Hide

Permalink

Gary Helmling added a comment - 28/Sep/10 18:45

It seems to me we would like to use the same GroupMappingService interface that HDFS uses, so that by default the groups match up between the systems.

That's definitely the plan for ~~HBASE-3025~~, where a user's groups (as resolved by GroupMappingService) can also be used for permission assignments.

This issue proposes adding an additional layer of HBase persisted and manipulated roles, where a role can contain members who are:

users
groups
other roles

This is more akin to PostgreSQL role management. You could then set say a "webapp" role that has certain access rights to a set of tables and add users or groups as needed. You can model the same thing with external groups and memberships, but recursive roles give a bit more flexibility to the policy definitions.

Show

Gary Helmling added a comment - 28/Sep/10 18:45 It seems to me we would like to use the same GroupMappingService interface that HDFS uses, so that by default the groups match up between the systems. That's definitely the plan for HBASE-3025 , where a user's groups (as resolved by GroupMappingService) can also be used for permission assignments. This issue proposes adding an additional layer of HBase persisted and manipulated roles, where a role can contain members who are: users groups other roles This is more akin to PostgreSQL role management. You could then set say a "webapp" role that has certain access rights to a set of tables and add users or groups as needed. You can model the same thing with external groups and memberships, but recursive roles give a bit more flexibility to the policy definitions.

Hide

Permalink

Todd Lipcon added a comment - 28/Sep/10 19:13

OK. I think it's a good idea to separate the terminology clearly between roles (defined and managed as HBase metadata) and groups (defined and managed by the groups mapping service). Otherwise we are going to have some very confused users.

Show

Todd Lipcon added a comment - 28/Sep/10 19:13 OK. I think it's a good idea to separate the terminology clearly between roles (defined and managed as HBase metadata) and groups (defined and managed by the groups mapping service). Otherwise we are going to have some very confused users.

Hide

Permalink

Andrew Purtell added a comment - 28/Sep/10 19:36

Noted.

Show

Andrew Purtell added a comment - 28/Sep/10 19:36 Noted.

Hide

Permalink

Andrew Purtell added a comment - 29/Apr/14 21:20

Hadoop group mapping seems good enough for now. Resolving as Later.

Show

Andrew Purtell added a comment - 29/Apr/14 21:20 Hadoop group mapping seems good enough for now. Resolving as Later.

People

Assignee:

Unassigned

Reporter:

Andrew Purtell

Votes:

0 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

28/Sep/10 15:51

Updated:

29/Apr/14 21:20

Resolved:

29/Apr/14 21:20

Development

Agile

View on Board