You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Gary Helmling (JIRA)" <ji...@apache.org> on 2012/05/25 21:44:22 UTC

[jira] [Created] (HBASE-6104) Require EXEC permission to call coprocessor endpoints

Gary Helmling created HBASE-6104:
------------------------------------

             Summary: Require EXEC permission to call coprocessor endpoints
                 Key: HBASE-6104
                 URL: https://issues.apache.org/jira/browse/HBASE-6104
             Project: HBase
          Issue Type: Sub-task
          Components: coprocessors, security
            Reporter: Gary Helmling


The EXEC action currently exists as only a placeholder in access control.  It should really be used to enforce access to coprocessor endpoint RPC calls, which are currently unrestricted.

How the ACLs to support this would be modeled deserves some discussion:
* Should access be scoped to a specific table and CoprocessorProtocol extension?
* Should it be possible to grant access to a CoprocessorProtocol implementation globally (regardless of table)?
* Are per-method restrictions necessary?
* Should we expose hooks available to endpoint implementors so that they could additionally apply their own permission checks? Some CP endpoints may want to require READ permissions, others may want to enforce WRITE, or READ + WRITE.

To apply these kinds of checks we would also have to extend the RegionObserver interface to provide hooks wrapping HRegion.exec().

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Comment Edited] (HBASE-6104) Require EXEC permission to call coprocessor endpoints

Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-6104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283720#comment-13283720 ] 

Andrew Purtell edited comment on HBASE-6104 at 5/25/12 8:02 PM:
----------------------------------------------------------------

bq. To apply these kinds of checks we would also have to extend the RegionObserver interface to provide hooks wrapping HRegion.exec().

+1 on this at a minimum.

bq. Should access be scoped to a specific table and CoprocessorProtocol extension?

bq. Should it be possible to grant access to a CoprocessorProtocol implementation globally (regardless of table)?

bq. Are per-method restrictions necessary?

For the sake of simplicity, I suggest considering an EXEC permission per CF. So that would allow the user or group specified in the grant to execute any coprocessors installed in the region for the given CF. We can do more, but it would be good to be informed by a specific use case then.

Edit: This implies some additional interface that informs the coprocessor what CFs the principal has access rights to.

                
      was (Author: apurtell):
    bq. To apply these kinds of checks we would also have to extend the RegionObserver interface to provide hooks wrapping HRegion.exec().

+1 on this at a minimum.

bq. Should access be scoped to a specific table and CoprocessorProtocol extension?

bq. Should it be possible to grant access to a CoprocessorProtocol implementation globally (regardless of table)?

bq. Are per-method restrictions necessary?

For the sake of simplicity, I suggest considering an EXEC permission per CF. So that would allow the user or group specified in the grant to execute any coprocessors installed in the region for the given CF. We can do more, but it would be good to be informed by a specific use case then.

                  
> Require EXEC permission to call coprocessor endpoints
> -----------------------------------------------------
>
>                 Key: HBASE-6104
>                 URL: https://issues.apache.org/jira/browse/HBASE-6104
>             Project: HBase
>          Issue Type: Sub-task
>          Components: coprocessors, security
>            Reporter: Gary Helmling
>
> The EXEC action currently exists as only a placeholder in access control.  It should really be used to enforce access to coprocessor endpoint RPC calls, which are currently unrestricted.
> How the ACLs to support this would be modeled deserves some discussion:
> * Should access be scoped to a specific table and CoprocessorProtocol extension?
> * Should it be possible to grant access to a CoprocessorProtocol implementation globally (regardless of table)?
> * Are per-method restrictions necessary?
> * Should we expose hooks available to endpoint implementors so that they could additionally apply their own permission checks? Some CP endpoints may want to require READ permissions, others may want to enforce WRITE, or READ + WRITE.
> To apply these kinds of checks we would also have to extend the RegionObserver interface to provide hooks wrapping HRegion.exec().

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HBASE-6104) Require EXEC permission to call coprocessor endpoints

Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-6104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283720#comment-13283720 ] 

Andrew Purtell commented on HBASE-6104:
---------------------------------------

bq. To apply these kinds of checks we would also have to extend the RegionObserver interface to provide hooks wrapping HRegion.exec().

+1 on this at a minimum.

bq. Should access be scoped to a specific table and CoprocessorProtocol extension?

bq. Should it be possible to grant access to a CoprocessorProtocol implementation globally (regardless of table)?

bq. Are per-method restrictions necessary?

For the sake of simplicity, I suggest considering an EXEC permission per CF. So that would allow the user or group specified in the grant to execute any coprocessors installed in the region for the given CF. We can do more, but it would be good to be informed by a specific use case then.

                
> Require EXEC permission to call coprocessor endpoints
> -----------------------------------------------------
>
>                 Key: HBASE-6104
>                 URL: https://issues.apache.org/jira/browse/HBASE-6104
>             Project: HBase
>          Issue Type: Sub-task
>          Components: coprocessors, security
>            Reporter: Gary Helmling
>
> The EXEC action currently exists as only a placeholder in access control.  It should really be used to enforce access to coprocessor endpoint RPC calls, which are currently unrestricted.
> How the ACLs to support this would be modeled deserves some discussion:
> * Should access be scoped to a specific table and CoprocessorProtocol extension?
> * Should it be possible to grant access to a CoprocessorProtocol implementation globally (regardless of table)?
> * Are per-method restrictions necessary?
> * Should we expose hooks available to endpoint implementors so that they could additionally apply their own permission checks? Some CP endpoints may want to require READ permissions, others may want to enforce WRITE, or READ + WRITE.
> To apply these kinds of checks we would also have to extend the RegionObserver interface to provide hooks wrapping HRegion.exec().

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (HBASE-6104) Require EXEC permission to call coprocessor endpoints

Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/HBASE-6104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Purtell updated HBASE-6104:
----------------------------------

    Affects Version/s: 0.96.0
    
> Require EXEC permission to call coprocessor endpoints
> -----------------------------------------------------
>
>                 Key: HBASE-6104
>                 URL: https://issues.apache.org/jira/browse/HBASE-6104
>             Project: HBase
>          Issue Type: Sub-task
>          Components: coprocessors, security
>    Affects Versions: 0.96.0
>            Reporter: Gary Helmling
>
> The EXEC action currently exists as only a placeholder in access control.  It should really be used to enforce access to coprocessor endpoint RPC calls, which are currently unrestricted.
> How the ACLs to support this would be modeled deserves some discussion:
> * Should access be scoped to a specific table and CoprocessorProtocol extension?
> * Should it be possible to grant access to a CoprocessorProtocol implementation globally (regardless of table)?
> * Are per-method restrictions necessary?
> * Should we expose hooks available to endpoint implementors so that they could additionally apply their own permission checks? Some CP endpoints may want to require READ permissions, others may want to enforce WRITE, or READ + WRITE.
> To apply these kinds of checks we would also have to extend the RegionObserver interface to provide hooks wrapping HRegion.exec().

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira