You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by Lars Francke <la...@gmail.com> on 2018/11/27 19:03:43 UTC
Expose an API to get all ACLs
Hi,
I have a use-case for a customer who's looking to build an audit tool. This
audit tool should build a report of all authorizations across various
products. HBase is one of them.
Unfortunately in HBase it's not currently possible to list all ACLs without
going directly to the _hbase:acl_ table (unless I'm missing something,
which would be great).
I see that the AccessControlLists class has a loadAll method but it's not
exposed anywhere.
Are there any objections in adding a method to retrieve all ACLs across all
tables etc.? I'm not yet 100% sure on the permissions that should be
required to do this. Any opinions?
Global + Access or something similar?
Cheers,
Lars
Re: Expose an API to get all ACLs
Posted by Lars Francke <la...@gmail.com>.
On Wed, Nov 28, 2018 at 7:22 AM Stack <st...@duboce.net> wrote:
> On Tue, Nov 27, 2018 at 11:04 AM Lars Francke <la...@gmail.com>
> wrote:
>
> > Hi,
> >
> > I have a use-case for a customer who's looking to build an audit tool.
> This
> > audit tool should build a report of all authorizations across various
> > products. HBase is one of them.
> >
> > Unfortunately in HBase it's not currently possible to list all ACLs
> without
> > going directly to the _hbase:acl_ table (unless I'm missing something,
> > which would be great).
> >
> > I see that the AccessControlLists class has a loadAll method but it's not
> > exposed anywhere.
> >
> > Are there any objections in adding a method to retrieve all ACLs across
> all
> > tables etc.? I'm not yet 100% sure on the permissions that should be
> > required to do this. Any opinions?
> > Global + Access or something similar?
> >
> >
> Yeah. Not surprised given this an 'internal' table.
>
> As long as there are perms on access to your new method, should be good to
> add. Anything else would be a hack I'd say Lars (reading the echo of loaded
> ACLs out to zk... or trying to read the 'internal' acl table yourself)
>
Thanks!
I agree on other methods being a hack (and relying on implementation
details).
Perfect. In that case I'll propose the solution for my client hoping he'll
sponsor the work.
Cheers,
Lars
> Thanks,
> S
>
>
>
> > Cheers,
> > Lars
> >
>
Re: Expose an API to get all ACLs
Posted by Stack <st...@duboce.net>.
On Tue, Nov 27, 2018 at 11:04 AM Lars Francke <la...@gmail.com>
wrote:
> Hi,
>
> I have a use-case for a customer who's looking to build an audit tool. This
> audit tool should build a report of all authorizations across various
> products. HBase is one of them.
>
> Unfortunately in HBase it's not currently possible to list all ACLs without
> going directly to the _hbase:acl_ table (unless I'm missing something,
> which would be great).
>
> I see that the AccessControlLists class has a loadAll method but it's not
> exposed anywhere.
>
> Are there any objections in adding a method to retrieve all ACLs across all
> tables etc.? I'm not yet 100% sure on the permissions that should be
> required to do this. Any opinions?
> Global + Access or something similar?
>
>
Yeah. Not surprised given this an 'internal' table.
As long as there are perms on access to your new method, should be good to
add. Anything else would be a hack I'd say Lars (reading the echo of loaded
ACLs out to zk... or trying to read the 'internal' acl table yourself).
Thanks,
S
> Cheers,
> Lars
>
Re: Expose an API to get all ACLs
Posted by Lars Francke <la...@gmail.com>.
Reid, thanks for your input. Answers inline.
On Wed, Nov 28, 2018 at 3:32 AM Reid Chan <re...@outlook.com> wrote:
> What about extracting those infos from HBase's audit logs?
>
I have to admit that I didn't even think about the audit logs and I'm not
sure what they expose in terms of ACLs but either way we won't have all
audit logs from the beginning of time so we'll miss some ACLs. Therefore
this is not an option for us.
> Retrieving all ACLs sounds hard if cell level ACLs is included, otherwise
> is feasible.
>
Yes, another good point. I'd limit myself to the ACLs stored in the acl
table for now. That is because my client does not use Cell Level ACLs or
Visibility Labels. I know that those are long standing open issues[1] which
I don't intent to tackle.
> But from system security perspective, exposing all ACLs is not a secure
> behavior, though we can limit the api level to
> (Global|Namespace|Table|).Admin permission only.
>
I thought about that and I'm not sure. I added a similar API to NiFi and
Kafka also has one now and while this information definitely is sensitive
there are already people who can see this data today, it just requires more
work. Agreed on the permissions!
[1] <https://issues.apache.org/jira/browse/HBASE-12470>
>
> --------------------------
>
> Best regards,
> R.C
>
>
>
> ________________________________________
> From: Lars Francke <la...@gmail.com>
> Sent: 28 November 2018 03:03
> To: dev@hbase.apache.org
> Subject: Expose an API to get all ACLs
>
> Hi,
>
> I have a use-case for a customer who's looking to build an audit tool. This
> audit tool should build a report of all authorizations across various
> products. HBase is one of them.
>
> Unfortunately in HBase it's not currently possible to list all ACLs without
> going directly to the _hbase:acl_ table (unless I'm missing something,
> which would be great).
>
> I see that the AccessControlLists class has a loadAll method but it's not
> exposed anywhere.
>
> Are there any objections in adding a method to retrieve all ACLs across all
> tables etc.? I'm not yet 100% sure on the permissions that should be
> required to do this. Any opinions?
> Global + Access or something similar?
>
> Cheers,
> Lars
>
Re: Expose an API to get all ACLs
Posted by Reid Chan <re...@outlook.com>.
What about extracting those infos from HBase's audit logs?
Retrieving all ACLs sounds hard if cell level ACLs is included, otherwise is feasible.
But from system security perspective, exposing all ACLs is not a secure behavior, though we can limit the api level to (Global|Namespace|Table|).Admin permission only.
--------------------------
Best regards,
R.C
________________________________________
From: Lars Francke <la...@gmail.com>
Sent: 28 November 2018 03:03
To: dev@hbase.apache.org
Subject: Expose an API to get all ACLs
Hi,
I have a use-case for a customer who's looking to build an audit tool. This
audit tool should build a report of all authorizations across various
products. HBase is one of them.
Unfortunately in HBase it's not currently possible to list all ACLs without
going directly to the _hbase:acl_ table (unless I'm missing something,
which would be great).
I see that the AccessControlLists class has a loadAll method but it's not
exposed anywhere.
Are there any objections in adding a method to retrieve all ACLs across all
tables etc.? I'm not yet 100% sure on the permissions that should be
required to do this. Any opinions?
Global + Access or something similar?
Cheers,
Lars