Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-672

Add SQL-ish security features using HBase AccessController

        Details

        • Type: Task
        • Status: Open
        • Priority: Major
        • Resolution: Unresolved
        • Affects Version/s: None
        • Fix Version/s: None
        • Labels:
        • old issue number:
          541

          Description

          In HBase 0.98, cell-level security will be available. Take a look at [this](https://communities.intel.com/community/datastack/blog/2013/10/29/hbase-cell-security) excellent blog post by @apurtell. Once Phoenix works on 0.96, we should add support for security to our SQL grammar.

            Activity

            Ascending order - Click to sort in descending order
            Hide
            Permalink
            pctony Tony Stevenson added a comment -

            Comment:apurtell:11/09/13 09:06:21 PM:

            mentioned

            Show
            pctony Tony Stevenson added a comment - Comment:apurtell:11/09/13 09:06:21 PM: mentioned
            Hide
            Permalink
            pctony Tony Stevenson added a comment -

            Comment:jamestaylor:11/12/13 04:45:07 AM:

            @apurtell - how about this one?

            Show
            pctony Tony Stevenson added a comment - Comment:jamestaylor:11/12/13 04:45:07 AM: @apurtell - how about this one?
            Hide
            Permalink
            pctony Tony Stevenson added a comment -

            Comment:apurtell:11/12/13 04:45:07 AM:

            mentioned

            Show
            pctony Tony Stevenson added a comment - Comment:apurtell:11/12/13 04:45:07 AM: mentioned
            Hide
            Permalink
            pctony Tony Stevenson added a comment -

            Comment:apurtell:11/14/13 01:38:42 AM:

            assigned

            Show
            pctony Tony Stevenson added a comment - Comment:apurtell:11/14/13 01:38:42 AM: assigned
            Hide
            Permalink
            pctony Tony Stevenson added a comment -

            Comment:apurtell:11/14/13 01:49:35 AM:

            Actually even with HBase 0.94, Phoenix could manage column and table level permissions with something like [GRANT](http://www.postgresql.org/docs/8.0/static/sql-grant.html) and [REVOKE](http://www.postgresql.org/docs/8.0/static/sql-revoke.html). I deliberately linked to Postgres 8 manpages because Postgres 9's syntax involves RBAC, which the HBase access controller doesn't support, although I suppose we could look at emulating roles with a custom Hadoop group mapper.

            On an HBase including HBASE-7662(https://issues.apache.org/jira/browse/HBASE-7662), we could consider fun things like combining GRANT and REVOKE syntax with SELECT. Phoenix would execute the query, retrieve the cells, add cell ACLs, and store them back at their exact coordinates. Can be done in a coprocessor or filter to avoid any round trips over the network.

            Show
            pctony Tony Stevenson added a comment - Comment:apurtell:11/14/13 01:49:35 AM: Actually even with HBase 0.94, Phoenix could manage column and table level permissions with something like [GRANT] ( http://www.postgresql.org/docs/8.0/static/sql-grant.html ) and [REVOKE] ( http://www.postgresql.org/docs/8.0/static/sql-revoke.html ). I deliberately linked to Postgres 8 manpages because Postgres 9's syntax involves RBAC, which the HBase access controller doesn't support, although I suppose we could look at emulating roles with a custom Hadoop group mapper. On an HBase including HBASE-7662 ( https://issues.apache.org/jira/browse/HBASE-7662 ), we could consider fun things like combining GRANT and REVOKE syntax with SELECT. Phoenix would execute the query, retrieve the cells, add cell ACLs, and store them back at their exact coordinates. Can be done in a coprocessor or filter to avoid any round trips over the network.
            Hide
            Permalink
            pctony Tony Stevenson added a comment -

            Comment:jamestaylor:11/14/13 04:38:30 AM:

            Nice, didn't realize that.

            Any volunteers?

            Show
            pctony Tony Stevenson added a comment - Comment:jamestaylor:11/14/13 04:38:30 AM: Nice, didn't realize that. Any volunteers?
            Hide
            Permalink
            pctony Tony Stevenson added a comment -

            Comment:apurtell:11/14/13 05:00:06 PM:

            Yes I volunteer, to add GRANT and REVOKE for 0.94/0.96.

            Also interested in marrying those statements with SELECT - I believe that would be a first.

            Show
            pctony Tony Stevenson added a comment - Comment:apurtell:11/14/13 05:00:06 PM: Yes I volunteer, to add GRANT and REVOKE for 0.94/0.96. Also interested in marrying those statements with SELECT - I believe that would be a first.
            Hide
            Permalink
            apurtell Andrew Purtell added a comment -

            Should we revive this? Where in the roadmap do you think it might make sense to fit in? We would be looking at grammar, parser, and executor changes for GRANT and REVOKE statements that I think would be self contained.

            Show
            apurtell Andrew Purtell added a comment - Should we revive this? Where in the roadmap do you think it might make sense to fit in? We would be looking at grammar, parser, and executor changes for GRANT and REVOKE statements that I think would be self contained.
            Hide
            Permalink
            apurtell Andrew Purtell added a comment -

            GRANT and REVOKE DDL statements for applying table, column family, namespace, or global level permissions would find support in the SQL92 syntax definition.

            But what about cell level ACLs (and related on PHOENIX-684 visibility labels)? In an earlier comment I suggested combining GRANT/REVOKE with SELECT but that would be off spec and anyway an out of band application of security metadata. For setting security metadata per cell - if we are going to tackle that - with immediate effect we need some way in DML (UPSERT, INSERT, etc) to associate metadata with value in the value list, or applied to all results of a subselect.

            Show
            apurtell Andrew Purtell added a comment - GRANT and REVOKE DDL statements for applying table, column family, namespace, or global level permissions would find support in the SQL92 syntax definition. But what about cell level ACLs (and related on PHOENIX-684 visibility labels)? In an earlier comment I suggested combining GRANT/REVOKE with SELECT but that would be off spec and anyway an out of band application of security metadata. For setting security metadata per cell - if we are going to tackle that - with immediate effect we need some way in DML (UPSERT, INSERT, etc) to associate metadata with value in the value list, or applied to all results of a subselect.

              People

              • Assignee:
                apurtell Andrew Purtell
                Reporter:
                jamestaylor James Taylor
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Development