You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Enis Soztutar (Created) (JIRA)" <ji...@apache.org> on 2012/02/07 00:54:59 UTC
[jira] [Created] (HBASE-5343) Access control API in HBaseAdmin.java
Access control API in HBaseAdmin.java
---------------------------------------
Key: HBASE-5343
URL: https://issues.apache.org/jira/browse/HBASE-5343
Project: HBase
Issue Type: Improvement
Components: client, coprocessors, security
Affects Versions: 0.94.0, 0.92.1
Reporter: Enis Soztutar
Assignee: Enis Soztutar
To use the access control mechanism added in HBASE-3025, users should either use the shell interface, or use the coprocessor API directly, which is not very user friendly. We can add grant/revoke/user_permission commands similar to the shell interface to HBaseAdmin assuming HBASE-5341 is in.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5343) Access control API in
HBaseAdmin.java
Posted by "Enis Soztutar (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13202903#comment-13202903 ]
Enis Soztutar commented on HBASE-5343:
--------------------------------------
bq. Adding coprocessor specific methods to HBaseAdmin completely undermines the purpose of coprocessors as optionally enabled extensions, and fails to scale as features are added. Having HBaseAdmin be a jumble of methods related to specific coprocessors is not very user friendly either.
I agree that we cannot throw every interface to HBaseAdmin that is implemented as coprocessors. However, my thinking is that from the perspective of the end user, co-processors are very-advanced API, and the client should be abstracted away from the fact that authorization features are implemented as co-processors. The initial reasoning behind this issue also includes the fact that, authorization and authentication are "core" features for a database.
What about introducing HBaseSecurityAdmin under ./security, which extends HBaseAdmin. We can also mark this interface as the stable public interface for security related APIs.
> Access control API in HBaseAdmin.java
> ---------------------------------------
>
> Key: HBASE-5343
> URL: https://issues.apache.org/jira/browse/HBASE-5343
> Project: HBase
> Issue Type: Improvement
> Components: client, coprocessors, security
> Affects Versions: 0.94.0, 0.92.1
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
>
> To use the access control mechanism added in HBASE-3025, users should either use the shell interface, or use the coprocessor API directly, which is not very user friendly. We can add grant/revoke/user_permission commands similar to the shell interface to HBaseAdmin assuming HBASE-5341 is in.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5343) Access control API in
HBaseAdmin.java
Posted by "Andrew Purtell (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13202133#comment-13202133 ]
Andrew Purtell commented on HBASE-5343:
---------------------------------------
bq. We can add grant/revoke/user_permission commands similar to the shell interface to HBaseAdmin assuming HBASE-5341 is in.
-1
This issue should be resolved as 'invalid'.
> Access control API in HBaseAdmin.java
> ---------------------------------------
>
> Key: HBASE-5343
> URL: https://issues.apache.org/jira/browse/HBASE-5343
> Project: HBase
> Issue Type: Improvement
> Components: client, coprocessors, security
> Affects Versions: 0.94.0, 0.92.1
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
>
> To use the access control mechanism added in HBASE-3025, users should either use the shell interface, or use the coprocessor API directly, which is not very user friendly. We can add grant/revoke/user_permission commands similar to the shell interface to HBaseAdmin assuming HBASE-5341 is in.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5343) Access control API in
HBaseAdmin.java
Posted by "Gary Helmling (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13202081#comment-13202081 ]
Gary Helmling commented on HBASE-5343:
--------------------------------------
Adding coprocessor specific methods to {{HBaseAdmin}} completely undermines the purpose of coprocessors as optionally enabled extensions, and fails to scale as features are added. Having {{HBaseAdmin}} be a jumble of methods related to specific coprocessors is not very user friendly either.
Security usage requires that {{SecureRpcEngine}} be loaded and that {{AccessController}} be enabled. Yes, configuring these components is more complicated than it needs to be right now. But providing interfaces to these two optional components as a permanent part of the client-facing API presented by {{HBaseAdmin}} is not the solution.
If {{AccessControllerProtocol}} is too difficult to work with, then I think we would be better off with a simple client helper, like a {{SecurityClient}} class similar to the {{Constraints}} helper that was implemented for the constraints coprocessor.
> Access control API in HBaseAdmin.java
> ---------------------------------------
>
> Key: HBASE-5343
> URL: https://issues.apache.org/jira/browse/HBASE-5343
> Project: HBase
> Issue Type: Improvement
> Components: client, coprocessors, security
> Affects Versions: 0.94.0, 0.92.1
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
>
> To use the access control mechanism added in HBASE-3025, users should either use the shell interface, or use the coprocessor API directly, which is not very user friendly. We can add grant/revoke/user_permission commands similar to the shell interface to HBaseAdmin assuming HBASE-5341 is in.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira