You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Rajeshbabu Chintaguntla (Jira)" <ji...@apache.org> on 2020/02/12 17:05:00 UTC
[jira] [Commented] (RANGER-2724) Support EXECUTE permission in
HBase Authorisation
[ https://issues.apache.org/jira/browse/RANGER-2724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17035512#comment-17035512 ]
Rajeshbabu Chintaguntla commented on RANGER-2724:
-------------------------------------------------
Here is WIP tried to add the execute permission in server def and patch to support execute but when I am trying to deploy it the in the cluster it's not showing. Can any one help me how to verify and where to add the test cases for the same. Thanks in advance.
> Support EXECUTE permission in HBase Authorisation
> -------------------------------------------------
>
> Key: RANGER-2724
> URL: https://issues.apache.org/jira/browse/RANGER-2724
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Reporter: Rajeshbabu Chintaguntla
> Assignee: Rajeshbabu Chintaguntla
> Priority: Major
> Attachments: RANGER-2724.patch
>
>
> HBase Authorisation supports execute permission along with read,write,create and admin.
> https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cdh_sg_hbase_authorization.html#
> # Read (R) - can read data at the given scope
> # Write (W) - can write data at the given scope
> # Execute (X) - can execute coprocessor endpoints at the given scope
> # Create (C) - can create tables or drop tables (even those they did not create) at the given scope
> # Admin (A) - can perform cluster operations such as balancing the cluster or assigning regions at the given scope
> In the HBase we can define the endpoint implementations to extend the HBase functionality without touching the core. These endpoints can be called in table scope.
> Example: Endpoint section in https://blogs.apache.org/hbase/entry/coprocessor_introduction
> To run the endpoint implementations users can be authorised with execute permissions. There are hooks also coprocessor hooks also supported for this endpoint invocations.
> {noformat}
> public Message preEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> ctx, Service service, String methodName, Message request) throws IOException {
> if (this.shouldCheckExecPermission && !(service instanceof AccessControlService)) {
> this.requirePermission(ctx, "invoke(" + service.getDescriptorForType().getName() + "." + methodName + ")", this.getTableName((RegionCoprocessorEnvironment)ctx.getEnvironment()), (byte[])null, (byte[])null, Action.EXEC);
> }
> return request;
> }
> public void postEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> ctx, Service service, String methodName, Message request, Builder responseBuilder) throws IOException {
> }
> {noformat}
> Any way this execute permission is optional but better to have in the Ranger mainly in case of Phoenix we do use most of the coprocessor endpoints to tackle with meta data for tables/resources to be written to system tables. So It would be helpful to have it.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)