You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Enis Soztutar (JIRA)" <ji...@apache.org> on 2014/05/01 00:03:16 UTC
[jira] [Commented] (HBASE-11077) [AccessController] Restore
compatible early-out access denial
[ https://issues.apache.org/jira/browse/HBASE-11077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13986147#comment-13986147 ]
Enis Soztutar commented on HBASE-11077:
---------------------------------------
bq. Then we break compatibility from 0.98.1 to 0.98.2, in that default behavior prior to 0.98.2 in the 0.98 release line is quite different
Maybe default to false on 0.98, but true on trunk.
bq. unfortunately cell ACLs would become largely useless, unless the admin research the feature and flip the attribute to "false", because when we early out at CF checks to retain pre-0.98 behavior the cell ACLs that would otherwise grant exceptional access won't be visited, unless using the cell-first strategy
Surely we do not want to make the model complex, but at the same time allow both of the use cases. If we have table privs + config option + per-operation cell-first strategy it is already three dimensions. Can we reduce that to at least two? Can we get away with per-operation strategy or the config option?
> [AccessController] Restore compatible early-out access denial
> -------------------------------------------------------------
>
> Key: HBASE-11077
> URL: https://issues.apache.org/jira/browse/HBASE-11077
> Project: HBase
> Issue Type: Sub-task
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Priority: Critical
> Fix For: 0.99.0, 0.98.2
>
> Attachments: HBASE-11077.patch, HBASE-11077.patch, HBASE-11077.patch, HBASE-11077.patch
>
>
> See parent for the whole story.
> For 0.98, to start, just put back the early out that was removed in 0.98.0 and allow it to be overridden with a table attribute.
--
This message was sent by Atlassian JIRA
(v6.2#6252)