diff --git a/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb b/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb index 7bf4252..8553fa6 100644 --- a/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb +++ b/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb @@ -20,12 +20,13 @@ module Shell class ClearAuths < Command def help return <<-EOF -Add a set of visibility labels for an user that has to removed -Syntax : clear_auths 'user1',[label1, label2] +Clear visibility labels from a user or group +Syntax : clear_auths 'user',[label1, label2] For example: hbase> clear_auths 'user1', ['SECRET','PRIVATE'] + hbase> clear_auths '@group1', ['SECRET','PRIVATE'] EOF end diff --git a/hbase-shell/src/main/ruby/shell/commands/get_auths.rb b/hbase-shell/src/main/ruby/shell/commands/get_auths.rb index 2bc3e09..1b758ef 100644 --- a/hbase-shell/src/main/ruby/shell/commands/get_auths.rb +++ b/hbase-shell/src/main/ruby/shell/commands/get_auths.rb @@ -20,12 +20,13 @@ module Shell class GetAuths < Command def help return <<-EOF -Get the visibility labels set for a particular user -Syntax : get_auths 'user1' +Get the visibility labels set for a particular user or group +Syntax : get_auths 'user' For example: hbase> get_auths 'user1' + hbase> get_auths '@group1' EOF end diff --git a/hbase-shell/src/main/ruby/shell/commands/set_auths.rb b/hbase-shell/src/main/ruby/shell/commands/set_auths.rb index 6679719..4a52eb0 100644 --- a/hbase-shell/src/main/ruby/shell/commands/set_auths.rb +++ b/hbase-shell/src/main/ruby/shell/commands/set_auths.rb @@ -20,12 +20,13 @@ module Shell class SetAuths < Command def help return <<-EOF -Add a set of visibility labels for an user -Syntax : set_auths 'user1',[label1, label2] +Add a set of visibility labels for a user or group +Syntax : set_auths 'user',[label1, label2] For example: hbase> set_auths 'user1', ['SECRET','PRIVATE'] + hbase> set_auths '@group1', ['SECRET','PRIVATE'] EOF end diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc index ae74661..25153a5 100644 --- a/src/main/asciidoc/_chapters/security.adoc +++ b/src/main/asciidoc/_chapters/security.adoc @@ -1057,6 +1057,9 @@ The default plugin passes through labels specified in Authorizations added to th When the client passes labels for which the user is not authenticated, the default plugin drops them. You can pass a subset of user authenticated labels via the `Get#setAuthorizations(Authorizations(String,...))` and `Scan#setAuthorizations(Authorizations(String,...));` methods. +Groups can be granted visibility labels the same way as users. Groups are prefixed with an @ symbol. When checking visibility labels of a user, the server will include the visibility labels of the groups of which the user is a member, together with the user's own labels. +When the visibility labels are retrieved using API `VisibilityClient#getAuths` or Shell command `get_auths` for a user, we will return labels added specifically for that user alone, not the group level labels. + Visibility label access checking is performed by the VisibilityController coprocessor. You can use interface `VisibilityLabelService` to provide a custom implementation and/or control the way that visibility labels are stored with cells. See the source file _hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithCustomVisLabService.java_ for one example. @@ -1171,12 +1174,16 @@ hbase> set_auths 'service', [ 'service' ] ---- ---- -gbase> set_auths 'testuser', [ 'test' ] +hbase> set_auths 'testuser', [ 'test' ] ---- ---- hbase> set_auths 'qa', [ 'test', 'developer' ] ---- + +---- +hbase> set_auths '@qagroup', [ 'test' ] +---- ==== + .Java API @@ -1213,6 +1220,10 @@ hbase> clear_auths 'testuser', [ 'test' ] ---- hbase> clear_auths 'qa', [ 'test', 'developer' ] ---- + +---- +hbase> clear_auths '@qagroup', [ 'test', 'developer' ] +---- ==== + .Java API