You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Ed Kohlwey (JIRA)" <ji...@apache.org> on 2011/01/10 19:44:47 UTC

[jira] Created: (HBASE-3435) Per-column-qualifier and per-key-value security for HBASE-3025

Per-column-qualifier and per-key-value security for HBASE-3025
--------------------------------------------------------------

                 Key: HBASE-3435
                 URL: https://issues.apache.org/jira/browse/HBASE-3435
             Project: HBase
          Issue Type: Improvement
            Reporter: Ed Kohlwey


Security labels should be assignable on a per-key-value and per-column-qualifer level. 

While simply assigning labels on a k/v level provides a lot of granularity, there will probably be a frequent desire to store labels on a column qualifier level and have fast atomic transactions on labels.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HBASE-3435) Per-column-qualifier and per-key-value security for HBASE-3025

Posted by "Gary Helmling (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HBASE-3435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12979879#action_12979879 ] 

Gary Helmling commented on HBASE-3435:
--------------------------------------

Enabling per column-qualifier access controls should be fairly straightforward to add to the current state of HBASE-3025.

Currently we store per column-family ACLs in the {{.META.:acl}} column family, using keys in the form _principal_,_family_.  We could extend this for column-qualifier specific assignments to: _principal_,_family_,_qualifier_.

The next step is then enabling authorization checks per column-qualifier, which only becomes tricky in the case of wildcard gets or scans.  However, we already have a good user-exposed facility for matching columns to return via filters.  So we would create a new AccessControlFilter and inject it (when security is enabled) into user requests via preGet() and preScannerOpen() requests.

AccessControlFilter would then consult TableAuthManager for each KeyValue and filter out those for which access was denied.

In the process, the current logic for rejecting requests on a column-family level would need to change to allow requests from users with specific column qualifier access to continue.

> Per-column-qualifier and per-key-value security for HBASE-3025
> --------------------------------------------------------------
>
>                 Key: HBASE-3435
>                 URL: https://issues.apache.org/jira/browse/HBASE-3435
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Ed Kohlwey
>
> Security labels should be assignable on a per-key-value and per-column-qualifer level. 
> While simply assigning labels on a k/v level provides a lot of granularity, there will probably be a frequent desire to store labels on a column qualifier level and have fast atomic transactions on labels.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.