You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Enis Soztutar (Created) (JIRA)" <ji...@apache.org> on 2012/02/07 00:54:59 UTC

[jira] [Created] (HBASE-5343) Access control API in HBaseAdmin.java

Access control API in HBaseAdmin.java  
---------------------------------------

                 Key: HBASE-5343
                 URL: https://issues.apache.org/jira/browse/HBASE-5343
             Project: HBase
          Issue Type: Improvement
          Components: client, coprocessors, security
    Affects Versions: 0.94.0, 0.92.1
            Reporter: Enis Soztutar
            Assignee: Enis Soztutar


To use the access control mechanism added in HBASE-3025, users should either use the shell interface, or use the coprocessor API directly, which is not very user friendly. We can add grant/revoke/user_permission commands similar to the shell interface to HBaseAdmin assuming HBASE-5341 is in. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HBASE-5343) Access control API in HBaseAdmin.java

Posted by "Enis Soztutar (Commented) (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13202903#comment-13202903 ] 

Enis Soztutar commented on HBASE-5343:
--------------------------------------

bq. Adding coprocessor specific methods to HBaseAdmin completely undermines the purpose of coprocessors as optionally enabled extensions, and fails to scale as features are added. Having HBaseAdmin be a jumble of methods related to specific coprocessors is not very user friendly either.
I agree that we cannot throw every interface to HBaseAdmin that is implemented as coprocessors. However, my thinking is that from the perspective of the end user, co-processors are very-advanced API, and the client should be abstracted away from the fact that authorization features are implemented as co-processors. The initial reasoning behind this issue also includes the fact that, authorization and authentication are "core" features for a database. 

What about introducing HBaseSecurityAdmin under ./security, which extends HBaseAdmin. We can also mark this interface as the stable public interface for security related APIs. 
                
> Access control API in HBaseAdmin.java  
> ---------------------------------------
>
>                 Key: HBASE-5343
>                 URL: https://issues.apache.org/jira/browse/HBASE-5343
>             Project: HBase
>          Issue Type: Improvement
>          Components: client, coprocessors, security
>    Affects Versions: 0.94.0, 0.92.1
>            Reporter: Enis Soztutar
>            Assignee: Enis Soztutar
>
> To use the access control mechanism added in HBASE-3025, users should either use the shell interface, or use the coprocessor API directly, which is not very user friendly. We can add grant/revoke/user_permission commands similar to the shell interface to HBaseAdmin assuming HBASE-5341 is in. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HBASE-5343) Access control API in HBaseAdmin.java

Posted by "Andrew Purtell (Commented) (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13202133#comment-13202133 ] 

Andrew Purtell commented on HBASE-5343:
---------------------------------------

bq.  We can add grant/revoke/user_permission commands similar to the shell interface to HBaseAdmin assuming HBASE-5341 is in.

-1

This issue should be resolved as 'invalid'.
                
> Access control API in HBaseAdmin.java  
> ---------------------------------------
>
>                 Key: HBASE-5343
>                 URL: https://issues.apache.org/jira/browse/HBASE-5343
>             Project: HBase
>          Issue Type: Improvement
>          Components: client, coprocessors, security
>    Affects Versions: 0.94.0, 0.92.1
>            Reporter: Enis Soztutar
>            Assignee: Enis Soztutar
>
> To use the access control mechanism added in HBASE-3025, users should either use the shell interface, or use the coprocessor API directly, which is not very user friendly. We can add grant/revoke/user_permission commands similar to the shell interface to HBaseAdmin assuming HBASE-5341 is in. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HBASE-5343) Access control API in HBaseAdmin.java

Posted by "Gary Helmling (Commented) (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13202081#comment-13202081 ] 

Gary Helmling commented on HBASE-5343:
--------------------------------------

Adding coprocessor specific methods to {{HBaseAdmin}} completely undermines the purpose of coprocessors as optionally enabled extensions, and fails to scale as features are added. Having {{HBaseAdmin}} be a jumble of methods related to specific coprocessors is not very user friendly either.

Security usage requires that {{SecureRpcEngine}} be loaded and that {{AccessController}} be enabled. Yes, configuring these components is more complicated than it needs to be right now. But providing interfaces to these two optional components as a permanent part of the client-facing API presented by {{HBaseAdmin}} is not the solution.

If {{AccessControllerProtocol}} is too difficult to work with, then I think we would be better off with a simple client helper, like a {{SecurityClient}} class similar to the {{Constraints}} helper that was implemented for the constraints coprocessor.
                
> Access control API in HBaseAdmin.java  
> ---------------------------------------
>
>                 Key: HBASE-5343
>                 URL: https://issues.apache.org/jira/browse/HBASE-5343
>             Project: HBase
>          Issue Type: Improvement
>          Components: client, coprocessors, security
>    Affects Versions: 0.94.0, 0.92.1
>            Reporter: Enis Soztutar
>            Assignee: Enis Soztutar
>
> To use the access control mechanism added in HBASE-3025, users should either use the shell interface, or use the coprocessor API directly, which is not very user friendly. We can add grant/revoke/user_permission commands similar to the shell interface to HBaseAdmin assuming HBASE-5341 is in. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira