You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Andrew Purtell (JIRA)" <ji...@apache.org> on 2010/09/28 17:52:34 UTC

[jira] Created: (HBASE-3045) Extend HBASE-3025 into a role based access control model using "HBase groups"

Extend HBASE-3025 into a role based access control model using "HBase groups"
-----------------------------------------------------------------------------

                 Key: HBASE-3045
                 URL: https://issues.apache.org/jira/browse/HBASE-3045
             Project: HBase
          Issue Type: Sub-task
            Reporter: Andrew Purtell
            Assignee: Eugene Koontz




-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HBASE-3045) Extend HBASE-3025 into a role based access control model using "HBase groups"

Posted by "Gary Helmling (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12915873#action_12915873 ] 

Gary Helmling commented on HBASE-3045:
--------------------------------------

bq. It seems to me we would like to use the same GroupMappingService interface that HDFS uses, so that by default the groups match up between the systems.

That's definitely the plan for HBASE-3025, where a user's groups (as resolved by GroupMappingService) can also be used for permission assignments.

This issue proposes adding an additional layer of HBase persisted and manipulated roles, where a role can contain members who are:
* users
* groups
* other roles

This is more akin to PostgreSQL role management.  You could then set say a "webapp" role that has certain access rights to a set of tables and add users or groups as needed.   You can model the same thing with external groups and memberships, but recursive roles give a bit more flexibility to the policy definitions.

> Extend HBASE-3025 into a role based access control model using "HBase groups"
> -----------------------------------------------------------------------------
>
>                 Key: HBASE-3045
>                 URL: https://issues.apache.org/jira/browse/HBASE-3045
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Andrew Purtell
>            Assignee: Eugene Koontz
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HBASE-3045) Extend HBASE-3025 into a role based access control model using "HBase groups"

Posted by "Todd Lipcon (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12915884#action_12915884 ] 

Todd Lipcon commented on HBASE-3045:
------------------------------------

OK. I think it's a good idea to separate the terminology clearly between _roles_ (defined and managed as HBase metadata) and _groups_ (defined and managed by the groups mapping service). Otherwise we are going to have some very confused users.

> Extend HBASE-3025 into a role based access control model using "HBase groups"
> -----------------------------------------------------------------------------
>
>                 Key: HBASE-3045
>                 URL: https://issues.apache.org/jira/browse/HBASE-3045
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Andrew Purtell
>            Assignee: Eugene Koontz
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HBASE-3045) Extend HBASE-3025 into a role based access control model using "HBase groups"

Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12915892#action_12915892 ] 

Andrew Purtell commented on HBASE-3045:
---------------------------------------

Noted.

> Extend HBASE-3025 into a role based access control model using "HBase groups"
> -----------------------------------------------------------------------------
>
>                 Key: HBASE-3045
>                 URL: https://issues.apache.org/jira/browse/HBASE-3045
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Andrew Purtell
>            Assignee: Eugene Koontz
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HBASE-3045) Extend HBASE-3025 into a role based access control model using "HBase groups"

Posted by "Todd Lipcon (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12915861#action_12915861 ] 

Todd Lipcon commented on HBASE-3045:
------------------------------------

Can you clarify the purpose and management of HBase groups as distinct entities from HDFS groups?

It seems to me we would like to use the same GroupMappingService interface that HDFS uses, so that by default the groups match up between the systems.

> Extend HBASE-3025 into a role based access control model using "HBase groups"
> -----------------------------------------------------------------------------
>
>                 Key: HBASE-3045
>                 URL: https://issues.apache.org/jira/browse/HBASE-3045
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Andrew Purtell
>            Assignee: Eugene Koontz
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.