You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Jerry He (JIRA)" <ji...@apache.org> on 2014/12/05 21:05:12 UTC
[jira] [Commented] (HBASE-12644) Visibility Labels: issue with
storing super users in labels table
[ https://issues.apache.org/jira/browse/HBASE-12644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14236014#comment-14236014 ]
Jerry He commented on HBASE-12644:
----------------------------------
In the AccessController, it seems that we don't persist any super user info in the hbase:acl table.
> Visibility Labels: issue with storing super users in labels table
> -----------------------------------------------------------------
>
> Key: HBASE-12644
> URL: https://issues.apache.org/jira/browse/HBASE-12644
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.98.8, 0.99.2
> Reporter: Jerry He
> Fix For: 1.0.0, 0.98.9
>
>
> Super users have all the permissions for ACL and Visibility labels.
> They are defined in hbase-site.xml.
> Currently in VisibilityController, we persist super user with their system permission in hbase:labels.
> This make change in super user difficult.
> There are two issues:
> In the current DefaultVisibilityLabelServiceImpl.addSystemLabel, we only add super user when we initially create the 'system' label.
> No additional update after that even if super user changed. See code for details.
>
> Additionally, there is no mechanism to remove any super user from the labels table.
>
> We probably should not persist super users in the labels table.
> They are in hbase-site.xml and can just stay in labelsCache and used from labelsCache after retrieval by Visibility Controller.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)