Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-6222 Add per-KeyValue Security
  3. HBASE-7663

[Per-KV security] Visibility labels

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.98.0
    • 0.98.0
    • Coprocessors, security
    • None
    • Reviewed
    • Hide
      VisibilityController CP handles the visibility
      The visibility labels are stored as tags with KVs
      Use Mutation#setCellVisibility(new CellVisibility(<labelExp>)); to add visibility expressions to cells
      The label expression can contain visibility labels joined with logical expressions &, | and !. Also using (, ) one can specify the precedence order
      Eg : SECRET & CONFIDENTIAL & !PUBLIC
      Please note that passing CellVisibility in a Delete mutation is illegal.

      During read, (Scan/Get) one can specify labels associated with that, in Authorizations
      scan.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));


      Visibility Label admin operations
      ----------------------------------------
      Labels can be added to the system using VisibilityClient#addLabels(). Also can use add_labels shell command
      Only super user (hbase.superuse) have permission to add the labels into the system.
      A set of labels can be associated for a user using setAuths. VisibilityClient#setAuths()
      Similarly labels can be removed from user auths using clearAuths.
      getAuths API can be used to view user auths.
      Also there is support for set_auths, clear_auths and get_auths shell commands
      Same way as in addLabels, only super user have permission for these operations.
      When AccessController is ON the permission checks are handled by AC.
      Using AC along with Visibility is optional. When AC is not available, permission checks are done at VisibilityController level itself.
      Show
      VisibilityController CP handles the visibility The visibility labels are stored as tags with KVs Use Mutation#setCellVisibility(new CellVisibility(<labelExp>)); to add visibility expressions to cells The label expression can contain visibility labels joined with logical expressions &, | and !. Also using (, ) one can specify the precedence order Eg : SECRET & CONFIDENTIAL & !PUBLIC Please note that passing CellVisibility in a Delete mutation is illegal. During read, (Scan/Get) one can specify labels associated with that, in Authorizations scan.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL)); Visibility Label admin operations ---------------------------------------- Labels can be added to the system using VisibilityClient#addLabels(). Also can use add_labels shell command Only super user (hbase.superuse) have permission to add the labels into the system. A set of labels can be associated for a user using setAuths. VisibilityClient#setAuths() Similarly labels can be removed from user auths using clearAuths. getAuths API can be used to view user auths. Also there is support for set_auths, clear_auths and get_auths shell commands Same way as in addLabels, only super user have permission for these operations. When AccessController is ON the permission checks are handled by AC. Using AC along with Visibility is optional. When AC is not available, permission checks are done at VisibilityController level itself.

    Description

      Implement Accumulo-style visibility labels. Consider the following design principles:

      • Coprocessor based implementation
      • Minimal to no changes to core code
      • Use KeyValue tags (HBASE-7448) to carry labels
      • Use OperationWithAttributes# {get,set}

        Attribute for handling visibility labels in the API

      • Implement a new filter for evaluating visibility labels as KVs are streamed through.

      This approach would be consistent in deployment and API details with other per-KV security work, supporting environments where they might be both be employed, even stacked on some tables.

      See the parent issue for more discussion.

      Attachments

        1. HBASE-7663_V10.patch
          535 kB
          Anoop Sam John
        2. HBASE-7663_V2.patch
          560 kB
          Anoop Sam John
        3. HBASE-7663_V3.patch
          605 kB
          Anoop Sam John
        4. HBASE-7663_V4.patch
          549 kB
          Anoop Sam John
        5. HBASE-7663_V5.patch
          550 kB
          Anoop Sam John
        6. HBASE-7663_V6.patch
          536 kB
          Anoop Sam John
        7. HBASE-7663_V7.patch
          536 kB
          Anoop Sam John
        8. HBASE-7663_V8.patch
          534 kB
          Anoop Sam John
        9. HBASE-7663_V9.patch
          535 kB
          Anoop Sam John
        10. HBASE-7663.patch
          383 kB
          Anoop Sam John

        Issue Links

          Activity

            People

              anoop.hbase Anoop Sam John
              apurtell Andrew Kyle Purtell
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: