You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hbase.apache.org by Jim Hughes <jh...@ccri.com> on 2018/03/30 15:27:48 UTC
Cell-level security with Coprocessors
Hi all,
I'm interested in combining an HBase Coprocessor with cell level
security. As a quick example, suppose one wanted to use the
ColumnAggregation Processor with cells with different authorizations.
Different users should be able to scan and see the sum of the entries
that they'd normally be able to scan.
From the first few hours of looking, it appears that Coprocessors call
out to the RegionServer's getScanner method which does not apply any
security by default.
Have others had success combining custom coprocessors with cell-level
security? That is, are there any pointers for getting started?
Cheers,
Jim
Re: Cell-level security with Coprocessors
Posted by Jim Hughes <jh...@ccri.com>.
Hi Anoop,
Here's a ticket for the discussion:
https://issues.apache.org/jira/browse/HBASE-20374.
I found what you are mentioning, and I was able to integrate my custom
coprocessor in GeoMesa by calling out to
rs.getCoprocessorHost.preScannerOpen(scan) in order to enable the
VisibilityController to insert its filters...
To be honest, this is definitely a corner case. I think the fix might
be to have the Region.getScanner implementation (2) to call out to any
other Coprocessors to intercept as they are designed to.
Cheers,
Jim
1.
https://github.com/locationtech/geomesa/blob/master/geomesa-hbase/geomesa-hbase-datastore/src/main/scala/org/locationtech/geomesa/hbase/coprocessor/GeoMesaCoprocessor.scala#L65
2.
https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegion.java#L2783-L2829
On 2018-04-09 06:49, Anoop John wrote:
> Hi Jim
> Just taking your eg: Use cell level labels along with
> AggregationClient - Tt will NOT work. The reason is the Aggregation
> impl for the server side will create scanner directly over the Region.
> As you know, the cell level security features work with the help of a
> co processor and it expects the CP to be informed while opening of
> scanner. But the CP contact while opening the scanner is one layer
> above the Region level (ie at RSRpcServices). So when the
> Aggregation service impl is opening the scanner, the visibility
> related CP will not get into pic. If that was not the case, the
> rest of the things would have been just fine for ur need. Mind
> opening an issue and we discuss under that for the possible fixes?
>
> -Anoop-
>
> On Fri, Mar 30, 2018 at 8:57 PM, Jim Hughes <jh...@ccri.com> wrote:
>> Hi all,
>>
>> I'm interested in combining an HBase Coprocessor with cell level
>> security.
>> As a quick example, suppose one wanted to use the ColumnAggregation
>> Processor with cells with different authorizations. Different users
>> should
>> be able to scan and see the sum of the entries that they'd normally be
>> able
>> to scan.
>>
>> From the first few hours of looking, it appears that Coprocessors call
>> out
>> to the RegionServer's getScanner method which does not apply any
>> security by
>> default.
>>
>> Have others had success combining custom coprocessors with cell-level
>> security? That is, are there any pointers for getting started?
>>
>> Cheers,
>>
>> Jim
>>
Re: Cell-level security with Coprocessors
Posted by Anoop John <an...@gmail.com>.
Hi Jim
Just taking your eg: Use cell level labels along with
AggregationClient - Tt will NOT work. The reason is the Aggregation
impl for the server side will create scanner directly over the Region.
As you know, the cell level security features work with the help of a
co processor and it expects the CP to be informed while opening of
scanner. But the CP contact while opening the scanner is one layer
above the Region level (ie at RSRpcServices). So when the
Aggregation service impl is opening the scanner, the visibility
related CP will not get into pic. If that was not the case, the
rest of the things would have been just fine for ur need. Mind
opening an issue and we discuss under that for the possible fixes?
-Anoop-
On Fri, Mar 30, 2018 at 8:57 PM, Jim Hughes <jh...@ccri.com> wrote:
> Hi all,
>
> I'm interested in combining an HBase Coprocessor with cell level security.
> As a quick example, suppose one wanted to use the ColumnAggregation
> Processor with cells with different authorizations. Different users should
> be able to scan and see the sum of the entries that they'd normally be able
> to scan.
>
> From the first few hours of looking, it appears that Coprocessors call out
> to the RegionServer's getScanner method which does not apply any security by
> default.
>
> Have others had success combining custom coprocessors with cell-level
> security? That is, are there any pointers for getting started?
>
> Cheers,
>
> Jim
>