diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc index 072f251..7d0cd1e 100644 --- a/src/main/asciidoc/_chapters/security.adoc +++ b/src/main/asciidoc/_chapters/security.adoc @@ -1273,6 +1273,50 @@ static Table createTableAndWriteDataWithLabels(TableName tableName, String... la ---- ==== +==== Reading Cells with Labels +When you issue a Scan or Get, HBase uses your default set of authorizations to filter out cells that you do not have access to. A superuser can see the default set of authorizations for a given user by using the `set_auths` HBase Shell command or the link:http://hbase.apache.org/devapidocs/org/apache/hadoop/hbase/security/visibility/VisibilityClient.htmlsgetAuths%28org.apache.hadoop.conf.Configuration,%20java.lang.String%29[setAuths()] method. + +You can specify a different authorization during the Scan or Get, by passing the AUTHORIZATIONS option in HBase Shell, or the link:http://hbase.apache.org/apidocs/org/apache/hadoop/hbase/client/Scan.html#setAuthorizations%28org.apache.hadoop.hbase.security.visibility.Authorizations%29[setAuthorizations()] method if you use the API. This authorization will be combined with your default set as an additional filter. It will further filter your results, rather than giving you additional authorization. + +.HBase Shell +==== +---- +hbase> get_auths 'myUser' +hbase> scan 'table1', AUTHORIZATIONS => ['private'] +---- +==== + +.Java API +==== +[source,java] +---- +... +public Void run() throws Exception { + String[] auths1 = { SECRET, CONFIDENTIAL }; + GetAuthsResponse authsResponse = null; + try { + VisibilityClient.setAuths(conf, auths1, user); + try { + authsResponse = VisibilityClient.getAuths(conf, user); + } catch (Throwable e) { + fail("Should not have failed"); + } + } catch (Throwable e) { + } + List authsList = new ArrayList(); + for (ByteString authBS : authsResponse.getAuthList()) { + authsList.add(Bytes.toString(authBS.toByteArray())); + } + assertEquals(2, authsList.size()); + assertTrue(authsList.contains(SECRET)); + assertTrue(authsList.contains(CONFIDENTIAL)); + return null; +} +... +---- +==== + + ==== Implementing Your Own Visibility Label Algorithm