You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Andrew Purtell (JIRA)" <ji...@apache.org> on 2014/06/26 00:48:24 UTC
[jira] [Comment Edited] (HBASE-11411) [AccessController] Cell level
permissions were not checked when using CELL_FIRST_STRATEGY
[ https://issues.apache.org/jira/browse/HBASE-11411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14044149#comment-14044149 ]
Andrew Purtell edited comment on HBASE-11411 at 6/25/14 10:46 PM:
------------------------------------------------------------------
You haven't convinced me the behavior is incorrect. CHECK_CELL_FIRST won't work by default after HBASE-11070 on trunk (where compatible early termination is enabled by default) but will in 0.98 (where compatible early termination is disabled by default). See the issue for more discussion.
Need a unit test verifying the problem in 0.98 first.
was (Author: apurtell):
You haven't convinced me the behavior is incorrect. CHECK_CELL_FIRST won't work with compatible early termination after HBASE-11070 on trunk (where compatible early termination is enabled by default) but will in 0.98 (where compatible early termination is disabled by default). See the issue for more discussion.
Need a unit test verifying the problem in 0.98 first.
> [AccessController] Cell level permissions were not checked when using CELL_FIRST_STRATEGY
> -----------------------------------------------------------------------------------------
>
> Key: HBASE-11411
> URL: https://issues.apache.org/jira/browse/HBASE-11411
> Project: HBase
> Issue Type: Bug
> Affects Versions: 0.98.3
> Reporter: ramkrishna.s.vasudevan
> Assignee: ramkrishna.s.vasudevan
> Fix For: 0.99.0, 0.98.4
>
> Attachments: HBASE-11411.patch
>
>
> In doing read operations with ACL we were checking there is read permission granted on the table
> {code}
> AuthResult authResult = permissionGranted(opType, user, env, families, Action.READ);
> HRegion region = getRegion(env);
> TableName table = getTableName(region);
> Map<ByteRange, Integer> cfVsMaxVersions = Maps.newHashMap();
> for (HColumnDescriptor hcd : region.getTableDesc().getFamilies()) {
> cfVsMaxVersions.put(new SimpleByteRange(hcd.getName()), hcd.getMaxVersions());
> }
> {code}
> If there is no permission then we were checking for the type of cell level permission
> {code}
> case CHECK_CELL_DEFAULT: {
> if (authManager.authorize(user, table, family, qualifier, Permission.Action.READ) ||
> authManager.authorize(user, table, cell, Permission.Action.READ)) {
> return ReturnCode.INCLUDE;
> }
> }
> break;
> // Cell permissions must authorize
> case CHECK_CELL_FIRST: {
> if (authManager.authorize(user, table, cell, Permission.Action.READ) &&
> authManager.authorize(user, table, family, qualifier, Permission.Action.READ)) {
> return ReturnCode.INCLUDE;
> }
> {code}
> For CELL_FIRST_STRATEGY
> -> if the user had granted READ permission on the table itself then even if cell level was not granting access we were able to read the cell.
> ->If table level READ permission was not there then the && condition was failing from reading any cell even with READ permission.
> The 2nd one was an intended behaviour but for the first one I think we should see if really the cell was readable too.
--
This message was sent by Atlassian JIRA
(v6.2#6252)