diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc index 072f251..3f4c692 100644 --- a/src/main/asciidoc/_chapters/security.adoc +++ b/src/main/asciidoc/_chapters/security.adoc @@ -1273,13 +1273,60 @@ static Table createTableAndWriteDataWithLabels(TableName tableName, String... la ---- ==== +<> +==== Reading Cells with Labels +When you issue a Scan or Get, HBase uses your default set of authorizations to filter out cells that you do not have access to. A superuser can see the default set of authorizations for a given user by using the `set_auths` HBase Shell command or the link:http://hbase.apache.org/devapidocs/org/apache/hadoop/hbase/security/visibility/VisibilityClient.htmlsgetAuths%28org.apache.hadoop.conf.Configuration,%20java.lang.String%29[setAuths()] method. + +You can specify a different authorization during the Scan or Get, by passing the AUTHORIZATIONS option in HBase Shell, or the link:http://hbase.apache.org/apidocs/org/apache/hadoop/hbase/client/Scan.html#setAuthorizations%28org.apache.hadoop.hbase.security.visibility.Authorizations%29[setAuthorizations()] method if you use the API. This authorization will be combined with your default set as an additional filter. It will further filter your results, rather than giving you additional authorization. + +.HBase Shell +==== +---- +hbase> get_auths 'myUser' +hbase> scan 'table1', AUTHORIZATIONS => ['private'] +---- +==== + +.Java API +==== +[source,java] +---- +... +public Void run() throws Exception { + String[] auths1 = { SECRET, CONFIDENTIAL }; + GetAuthsResponse authsResponse = null; + try { + VisibilityClient.setAuths(conf, auths1, user); + try { + authsResponse = VisibilityClient.getAuths(conf, user); + } catch (Throwable e) { + fail("Should not have failed"); + } + } catch (Throwable e) { + } + List authsList = new ArrayList(); + for (ByteString authBS : authsResponse.getAuthList()) { + authsList.add(Bytes.toString(authBS.toByteArray())); + } + assertEquals(2, authsList.size()); + assertTrue(authsList.contains(SECRET)); + assertTrue(authsList.contains(CONFIDENTIAL)); + return null; +} +... +---- +==== + + ==== Implementing Your Own Visibility Label Algorithm Interpreting the labels authenticated for a given get/scan request is a pluggable algorithm. You can specify a custom plugin by using the property `hbase.regionserver.scan.visibility.label.generator.class`. -The default implementation class is `org.apache.hadoop.hbase.security.visibility.DefaultScanLabelGenerator`. -You can also configure a set of `ScanLabelGenerators` to be used by the system, as a comma-separated list. +The default implementation class is `org.apache.hadoop.hbase.security.visibility.DefaultScanLabelGenerator`, which was implemented in link:https://issues.apache.org/jira/browse/HBASE-12466[HBASE-12468]. See <>. + +You can also configure a set, or "stack", of `ScanLabelGenerator`s to be used by the system, as a comma-separated list. The output for the first `ScanLabelGenerator` will be the input for the next one, until the end of the list. + ==== Replicating Visibility Tags as Strings