diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc index 072f251..56ad62c 100644 --- a/src/main/asciidoc/_chapters/security.adoc +++ b/src/main/asciidoc/_chapters/security.adoc @@ -1047,6 +1047,12 @@ The default plugin passes through labels specified in Authorizations added to th When the client passes labels for which the user is not authenticated, the default plugin drops them. You can pass a subset of user authenticated labels via the `Get#setAuthorizations(Authorizations(String,...))` and `Scan#setAuthorizations(Authorizations(String,...));` methods. +VisibilityClient API and shell commands can be used to set, get and clear visibility labels for users and groups. Groups are prefixed with an @ symbol. + +When checking visibility labels of a user, the server will include the labels of the groups of which the user is a member, together with the user's own labels. + +`get_auths` shell command or corresponding API on a user will only return the user's own labels. `clear_auths` shell command or corresponding API on a user will only clear the user's own labels. + Visibility label access checking is performed by the VisibilityController coprocessor. You can use interface `VisibilityLabelService` to provide a custom implementation and/or control the way that visibility labels are stored with cells. See the source file _hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithCustomVisLabService.java_ for one example. @@ -1167,6 +1173,10 @@ gbase> set_auths 'testuser', [ 'test' ] ---- hbase> set_auths 'qa', [ 'test', 'developer' ] ---- + +---- +hbase> set_auths '@qagroup', [ 'test', 'developer' ] +---- ==== + .Java API @@ -1203,6 +1213,10 @@ hbase> clear_auths 'testuser', [ 'test' ] ---- hbase> clear_auths 'qa', [ 'test', 'developer' ] ---- + +---- +hbase> clear_auths '@qagroup', [ 'test', 'developer' ] +---- ==== + .Java API