You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hbase.apache.org by "Clay B. (Jira)" <ji...@apache.org> on 2020/12/03 22:49:00 UTC

[jira] [Resolved] (HBASE-21591) Support ability to have host based permissions

     [ https://issues.apache.org/jira/browse/HBASE-21591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Clay B. resolved HBASE-21591.
-----------------------------
    Resolution: Won't Fix

I do not have the intention to work on this further as I have been informed one can achieve this using Apache Ranger in front of HBase.

> Support ability to have host based permissions
> ----------------------------------------------
>
>                 Key: HBASE-21591
>                 URL: https://issues.apache.org/jira/browse/HBASE-21591
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Clay B.
>            Assignee: Clay B.
>            Priority: Trivial
>
> Today, one can put in an ACL rule where a user is not permitted to read data but can insert data (e.g. {{grant 'user', 'table', 'W'}}). However, one can not implement HBase as a "drop-box" for data where by in a secure network, one can read and write data but outside that secure network one can only write data; and I do not believe this is possible with custom access controllers, unless one "wraps" HBase; e.g. with the HBase REST server.
> I have been pushing for this model (e.g. [Of Data Dropboxes and Data Gloveboxes|https://thestrangeloop.com/2018/of-data-dropboxes-and-data-gloveboxes.html] or [slides|http://clayb.net/presentations/Of%20Data%20Dropboxes%20and%20Data%20Gloveboxes.pdf]) in a number of technologies for some data compartmentalization initiatives.
> I propose passing the requester's host information through the HBase authentication stack so that the ACL model in HBase can work akin to the SQL semantics of {{user@host}} or {{user@<anywhere>}}.The expected impact would be to HBase private interfaces only, so far in POC'ing it seems the following would be impacted:
> Access Control Classes/ACL Table Management:
> * AccessControlUtil
> * UserPermission
> * AccessChecker
> * AccessControlFilter
> * AccessController
> * AuthResult
> * TableAuthManager
> * AccessControl.proto
> Co-Processor APIs for Checking Authentication:
> * CoprocessorHost
> * ObserverContext
> * ObserverContextImpl
> * RSRpcServices
> * RSGroupAdminEndpoint



--
This message was sent by Atlassian Jira
(v8.3.4#803005)