You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "ShiXing (JIRA)" <ji...@apache.org> on 2012/06/29 12:09:42 UTC
[jira] [Created] (HBASE-6292) Compact can skip the security access
control
ShiXing created HBASE-6292:
------------------------------
Summary: Compact can skip the security access control
Key: HBASE-6292
URL: https://issues.apache.org/jira/browse/HBASE-6292
Project: HBase
Issue Type: Bug
Components: security
Reporter: ShiXing
Assignee: ShiXing
When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
Example:
user "mapred" do not have permission "Admin",
{code}
hbase(main):001:0> user_permission 'Security'
User Table,Family,Qualifier:Permission
mapred Security,f1,c1: [Permission: actions=READ,WRITE]
hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
0 row(s) in 0.0590 seconds
hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
0 row(s) in 0.0040 seconds
hbase(main):006:0> compact 'Security'
0 row(s) in 0.0260 seconds
{code}
Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6292) Compact can skip the security access
control
Posted by "ShiXing (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ShiXing updated HBASE-6292:
---------------------------
Attachment: HBASE-6292-trunk-V1.patch
Patch for trunk
If this patch can be commited, then the patches for 0.92 0.94.0 and 0.94.1 I will supply.
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13411179#comment-13411179 ]
Hudson commented on HBASE-6292:
-------------------------------
Integrated in HBase-0.94-security #39 (See [https://builds.apache.org/job/HBase-0.94-security/39/])
HBASE-6292. Compact can skip the security access control (ShiXing) (Revision 1355826)
Result = SUCCESS
apurtell :
Files :
* /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionObserver.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionObserver.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/regionserver/CompactSplitThread.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/regionserver/CompactionRequestor.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/regionserver/MemStoreFlusher.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/regionserver/Store.java
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13404657#comment-13404657 ]
Hudson commented on HBASE-6292:
-------------------------------
Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #76 (See [https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/76/])
HBASE-6292. Compact can skip the security access control (ShiXing) (Revision 1355825)
Result = FAILURE
apurtell :
Files :
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionObserver.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionObserver.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/CompactSplitThread.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/CompactionRequestor.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/MemStoreFlusher.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/Store.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6292) Compact can skip the security access
control
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Laxman updated HBASE-6292:
--------------------------
Affects Version/s: 0.94.1
0.96.0
0.94.0
Labels: acl security (was: )
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13404646#comment-13404646 ]
Hudson commented on HBASE-6292:
-------------------------------
Integrated in HBase-0.94 #288 (See [https://builds.apache.org/job/HBase-0.94/288/])
HBASE-6292. Compact can skip the security access control (ShiXing) (Revision 1355826)
Result = FAILURE
apurtell :
Files :
* /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionObserver.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionObserver.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/regionserver/CompactSplitThread.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/regionserver/CompactionRequestor.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/regionserver/MemStoreFlusher.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/regionserver/Store.java
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13404586#comment-13404586 ]
Andrew Purtell commented on HBASE-6292:
---------------------------------------
bq. If this patch can be commited, then the patches for 0.92 0.94.0 and 0.94.1 I will supply.
For trunk and 0.94 this is ok. We have not been committing any "v2" changes to 0.92. I recommend evaluating what should go back, if anything, after all of this work is completed.
bq. The change on the API is ok? The adding of the IOException?
Throwing IOE out of a hook is consistent with the use of IOE elsewhere in the CP framework and the larger codebase. Until we change that (re: Benoit's rant) it makes sense.
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: Andrew Purtell
> Labels: acl, security
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6292) Compact can skip the security access
control
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Purtell updated HBASE-6292:
----------------------------------
Issue Type: Sub-task (was: Bug)
Parent: HBASE-5352
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: ShiXing
> Assignee: ShiXing
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HBASE-6292) Compact can skip the security access
control
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
stack reassigned HBASE-6292:
----------------------------
Assignee: Andrew Purtell (was: ShiXing)
Mind taking a look Andrew (and assigning back to ShiXing after)? Let me know if this assign inapproprate.
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: Andrew Purtell
> Labels: acl, security
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13404590#comment-13404590 ]
Andrew Purtell commented on HBASE-6292:
---------------------------------------
I have changes for trunk and 0.94 queued for commit and will do so after local tests pass.
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HBASE-6292) Compact can skip the security access
control
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Purtell reassigned HBASE-6292:
-------------------------------------
Assignee: ShiXing (was: Andrew Purtell)
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13404626#comment-13404626 ]
stack commented on HBASE-6292:
------------------------------
Thanks for review Andrew. Agree on above.
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13404702#comment-13404702 ]
Laxman commented on HBASE-6292:
-------------------------------
bq. Should we change the doc for the ACL Matrix?
Yes ShiXing.
bq. I will update the matrix HBASE-6192 accordingly.
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13403862#comment-13403862 ]
Laxman commented on HBASE-6292:
-------------------------------
yes shixing, seems to be a problem. do you have a patch for this?
I will update the matrix [HBASE-6192] accordingly.
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Bug
> Components: security
> Reporter: ShiXing
> Assignee: ShiXing
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13404521#comment-13404521 ]
stack commented on HBASE-6292:
------------------------------
Patch looks good to me. The change on the API is ok? The adding of the IOException? Could the IOE be more precise in some places? A permissiondeniedexception?
Good stuff ShiXing.
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: Andrew Purtell
> Labels: acl, security
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "ShiXing (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13404667#comment-13404667 ]
ShiXing commented on HBASE-6292:
--------------------------------
@Andrew, I see the ACL Matrix in HBASE-6192
{code}
RegionServer | CompactSelection | REGION | INTERNAL | NA
{code}
And this patch has changed it by add preCompactSelection requirePermission(). Should we change the doc for the ACL Matrix?
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (HBASE-6292) Compact can skip the security access
control
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Purtell resolved HBASE-6292.
-----------------------------------
Resolution: Fixed
Fix Version/s: 0.94.1
0.96.0
Hadoop Flags: Reviewed
Committed to trunk and 0.94 branches. All tests pass locally including new case in TestAccessController.
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (HBASE-6292) Compact can skip the security access
control
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lars Hofhansl closed HBASE-6292.
--------------------------------
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.94.1, 0.96.0
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Fix For: 0.94.1, 0.96.0
>
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6292) Compact can skip the security
access control
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13404643#comment-13404643 ]
Hudson commented on HBASE-6292:
-------------------------------
Integrated in HBase-TRUNK #3089 (See [https://builds.apache.org/job/HBase-TRUNK/3089/])
HBASE-6292. Compact can skip the security access control (ShiXing) (Revision 1355825)
Result = SUCCESS
apurtell :
Files :
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseRegionObserver.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/RegionObserver.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/CompactSplitThread.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/CompactionRequestor.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/MemStoreFlusher.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/Store.java
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
* /hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
> Compact can skip the security access control
> --------------------------------------------
>
> Key: HBASE-6292
> URL: https://issues.apache.org/jira/browse/HBASE-6292
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.94.0, 0.96.0, 0.94.1
> Reporter: ShiXing
> Assignee: ShiXing
> Labels: acl, security
> Fix For: 0.96.0, 0.94.1
>
> Attachments: HBASE-6292-trunk-V1.patch
>
>
> When client sends compact command to rs, the rs just create a CompactionRequest, and then put it into the thread pool to process the CompactionRequest. And when the region do the compact, it uses the rs's ugi to process the compact, so the compact can successfully done.
> Example:
> user "mapred" do not have permission "Admin",
> {code}
> hbase(main):001:0> user_permission 'Security'
> User Table,Family,Qualifier:Permission
> mapred Security,f1,c1: [Permission: actions=READ,WRITE]
> hbase(main):004:0> put 'Security', 'r6', 'f1:c1', 'v9'
> 0 row(s) in 0.0590 seconds
> hbase(main):005:0> put 'Security', 'r6', 'f1:c1', 'v10'
> 0 row(s) in 0.0040 seconds
> hbase(main):006:0> compact 'Security'
> 0 row(s) in 0.0260 seconds
> {code}
> Maybe we can add permission check in the preCompactSelection() ?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira