You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Yi Mei (JIRA)" <ji...@apache.org> on 2019/06/24 03:59:00 UTC

[jira] [Updated] (HBASE-21995) Add a coprocessor to set HDFS ACL for hbase granted user

     [ https://issues.apache.org/jira/browse/HBASE-21995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Yi Mei updated HBASE-21995:
---------------------------
    Fix Version/s: 2.3.0
                   3.0.0
     Release Note: 
Add a coprocessor to set HDFS acls to make hbase granted users with READ permission have the access to scan snapshots.
To use this feature, please make sure the HDFS config is set:
dfs.namenode.acls.enabled=true
fs.permissions.umask-mode=027

and set the HBase config:
hbase.coprocessor.master.classes="org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclController"
hbase.user.scan.snapshot.enable=true

> Add a coprocessor to set HDFS ACL for hbase granted user
> --------------------------------------------------------
>
>                 Key: HBASE-21995
>                 URL: https://issues.apache.org/jira/browse/HBASE-21995
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Yi Mei
>            Assignee: Yi Mei
>            Priority: Major
>             Fix For: 3.0.0, 2.3.0
>
>
> To make hbase granted user have the access to scan table snapshots, use HDFS ACLs to set user read permission over hfiles.
> The basic implementation is:
> 1. For public directories such as 'data' and 'archive', set other users' permission to '--x' to make everyone have the permission to access the directory.
> 2. For namespace or table directories such as 'data/ns/table', 'archive/ns/table' and '.hbase-snapshot/snapshotName', set user 'r-x' acl and default 'r-x' acl when following operations happen:
> grant to namespace or table / revoke from namespace or table / snapshot table
>  
> For more details, please reference the design doc: https://docs.google.com/document/d/1D2iAdbrW5CcKc2SthJBXA1n2tTMTftuVaFtxbOWFuqM/edit#heading=h.uwo33s7kz427



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)