You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Pankaj Kumar (JIRA)" <ji...@apache.org> on 2018/04/06 06:22:00 UTC

[jira] [Created] (HBASE-20357) AccessControlClient API Enhancement

Pankaj Kumar created HBASE-20357:
------------------------------------

             Summary: AccessControlClient API Enhancement
                 Key: HBASE-20357
                 URL: https://issues.apache.org/jira/browse/HBASE-20357
             Project: HBase
          Issue Type: Improvement
          Components: security
            Reporter: Pankaj Kumar
            Assignee: Pankaj Kumar


*Background:*
Currently HBase ACLs can be retrieved based on the namespace or table name only. There is no direct API available to retrieve the permissions based on the namespace, table name, column family and column qualifier for specific user.

Client has to write application logic in multiple steps to retrieve ACLs based on table name, column name and column qualifier for specific user.
HBase should enhance AccessControlClient APIs to simplyfy this.

*AccessControlClient API should be extended with following APIs,*    
 # To retrieve permissions based on the namespace, table name, column family and         column qualifier for specific user. 
 Permissions can be retrieved based on the following inputs,
      - Namespace/Table (already available)
      - Namespace/Table + UserName
      - Table + CF
      - Table + CF + UserName
      - Table + CF + CQ
      - Table + CF + CQ + UserName

          Scope of retrieving permission will be as follows,
                - Same as existing

       2. To validate whether a user is allowed to perform specified operations on a particular                  table, will be useful to check user privilege instead of getting ACD during client                      operation.
            User validation can be performed based on following inputs, 
                 - Table + CF + CQ + UserName + Actions

            Scope of validating user privilege,
                   User can perform self check without any special privilege but ADMIN privilege                          will be required to perform check for other users.
                   For example, suppose there are two users "userA" & "userB" then there can be                     below scenarios,
                       - when userA want to check whether userA have privilege to perform                                         mentioned actions
                               > userA don't need ADMIN privilege, as it's a self query.

                       - when userA want to check whether userB have privilege to perform                                          mentioned actions,
                               > userA must have ADMIN or superuser privilege, as it's trying to query                                       for other user.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)