You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "Karan Mehta (JIRA)" <ji...@apache.org> on 2017/11/09 00:07:00 UTC

[jira] [Commented] (PHOENIX-672) Add GRANT and REVOKE commands using HBase AccessController

    [ https://issues.apache.org/jira/browse/PHOENIX-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244968#comment-16244968 ] 

Karan Mehta commented on PHOENIX-672:
-------------------------------------

The SQL syntax for REVOKE permissions supports revoking individual permissions based on conditions. For example, if a user has RW access on a table, we can write a SQL query to revoke just read access on the table. However HBase Revoke API in {{AccessControlClient}} doesn't provide that functionality out of box. It takes in permissions as an input parameter, however it doesn't use it. The revoke option works by deleting the specific row and column qualifier from hbase:acl table.The HBase SHELL command for revoke also doesn't take permissions as input.

At this point we have two choices,
1. We can be in sync with how HBase handles permissions and the SQL query for REVOKE will not include permissions. We need to document this behaviour. This is similar to how GRANT behavior is defined.
2. Follow the SQL syntax. This would require us to read the hbase:acl table to get the current permissions, determine the diff and remove the permissions provided by user. 

I would personally prefer option 1 since it reduces complexity and helps to keep in sync with how HBase works. We also need to add an option for users to view permissions as well, may be carried out as a part of separate JIRA.
Please advice. [~jamestaylor] [~apurtell] [~ankit@apache.org] [~elserj]

> Add GRANT and REVOKE commands using HBase AccessController
> ----------------------------------------------------------
>
>                 Key: PHOENIX-672
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-672
>             Project: Phoenix
>          Issue Type: Task
>            Reporter: James Taylor
>            Assignee: Karan Mehta
>              Labels: namespaces, security
>             Fix For: 4.14.0
>
>
> In HBase 0.98, cell-level security will be available. Take a look at [this](https://communities.intel.com/community/datastack/blog/2013/10/29/hbase-cell-security) excellent blog post by @apurtell. Once Phoenix works on 0.96, we should add support for security to our SQL grammar.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)