HBase
  1. HBase
  2. HBASE-1697 Discretionary access control
  3. HBASE-3045

Extend HBASE-3025 into a role based access control model using "HBase groups"

    Details

    • Type: Sub-task Sub-task
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Issue Links

        Activity

        Hide
        Andrew Purtell added a comment -

        Noted.

        Show
        Andrew Purtell added a comment - Noted.
        Hide
        Todd Lipcon added a comment -

        OK. I think it's a good idea to separate the terminology clearly between roles (defined and managed as HBase metadata) and groups (defined and managed by the groups mapping service). Otherwise we are going to have some very confused users.

        Show
        Todd Lipcon added a comment - OK. I think it's a good idea to separate the terminology clearly between roles (defined and managed as HBase metadata) and groups (defined and managed by the groups mapping service). Otherwise we are going to have some very confused users.
        Hide
        Gary Helmling added a comment -

        It seems to me we would like to use the same GroupMappingService interface that HDFS uses, so that by default the groups match up between the systems.

        That's definitely the plan for HBASE-3025, where a user's groups (as resolved by GroupMappingService) can also be used for permission assignments.

        This issue proposes adding an additional layer of HBase persisted and manipulated roles, where a role can contain members who are:

        • users
        • groups
        • other roles

        This is more akin to PostgreSQL role management. You could then set say a "webapp" role that has certain access rights to a set of tables and add users or groups as needed. You can model the same thing with external groups and memberships, but recursive roles give a bit more flexibility to the policy definitions.

        Show
        Gary Helmling added a comment - It seems to me we would like to use the same GroupMappingService interface that HDFS uses, so that by default the groups match up between the systems. That's definitely the plan for HBASE-3025 , where a user's groups (as resolved by GroupMappingService) can also be used for permission assignments. This issue proposes adding an additional layer of HBase persisted and manipulated roles, where a role can contain members who are: users groups other roles This is more akin to PostgreSQL role management. You could then set say a "webapp" role that has certain access rights to a set of tables and add users or groups as needed. You can model the same thing with external groups and memberships, but recursive roles give a bit more flexibility to the policy definitions.
        Hide
        Todd Lipcon added a comment -

        Can you clarify the purpose and management of HBase groups as distinct entities from HDFS groups?

        It seems to me we would like to use the same GroupMappingService interface that HDFS uses, so that by default the groups match up between the systems.

        Show
        Todd Lipcon added a comment - Can you clarify the purpose and management of HBase groups as distinct entities from HDFS groups? It seems to me we would like to use the same GroupMappingService interface that HDFS uses, so that by default the groups match up between the systems.

          People

          • Assignee:
            Eugene Koontz
            Reporter:
            Andrew Purtell
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:

              Development