HBASE-13006 Document visibility label support for groups. (Jerry He)
This commit is contained in:
anoopsjohn
parent
cf7ef936d2
commit
014b812103
|
|
@ -20,12 +20,13 @@ module Shell
|
|||
class ClearAuths < Command
|
||||
def help
|
||||
return <<-EOF
|
||||
Add a set of visibility labels for an user that has to removed
|
||||
Syntax : clear_auths 'user1',[label1, label2]
|
||||
Clear visibility labels from a user or group
|
||||
Syntax : clear_auths 'user',[label1, label2]
|
||||
|
||||
For example:
|
||||
|
||||
hbase> clear_auths 'user1', ['SECRET','PRIVATE']
|
||||
hbase> clear_auths '@group1', ['SECRET','PRIVATE']
|
||||
EOF
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -20,12 +20,13 @@ module Shell
|
|||
class GetAuths < Command
|
||||
def help
|
||||
return <<-EOF
|
||||
Get the visibility labels set for a particular user
|
||||
Syntax : get_auths 'user1'
|
||||
Get the visibility labels set for a particular user or group
|
||||
Syntax : get_auths 'user'
|
||||
|
||||
For example:
|
||||
|
||||
hbase> get_auths 'user1'
|
||||
hbase> get_auths '@group1'
|
||||
EOF
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -20,12 +20,13 @@ module Shell
|
|||
class SetAuths < Command
|
||||
def help
|
||||
return <<-EOF
|
||||
Add a set of visibility labels for an user
|
||||
Syntax : set_auths 'user1',[label1, label2]
|
||||
Add a set of visibility labels for a user or group
|
||||
Syntax : set_auths 'user',[label1, label2]
|
||||
|
||||
For example:
|
||||
|
||||
hbase> set_auths 'user1', ['SECRET','PRIVATE']
|
||||
hbase> set_auths '@group1', ['SECRET','PRIVATE']
|
||||
EOF
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -1057,6 +1057,9 @@ The default plugin passes through labels specified in Authorizations added to th
|
|||
When the client passes labels for which the user is not authenticated, the default plugin drops them.
|
||||
You can pass a subset of user authenticated labels via the `Get#setAuthorizations(Authorizations(String,...))` and `Scan#setAuthorizations(Authorizations(String,...));` methods.
|
||||
|
||||
Groups can be granted visibility labels the same way as users. Groups are prefixed with an @ symbol. When checking visibility labels of a user, the server will include the visibility labels of the groups of which the user is a member, together with the user's own labels.
|
||||
When the visibility labels are retrieved using API `VisibilityClient#getAuths` or Shell command `get_auths` for a user, we will return labels added specifically for that user alone, not the group level labels.
|
||||
|
||||
Visibility label access checking is performed by the VisibilityController coprocessor.
|
||||
You can use interface `VisibilityLabelService` to provide a custom implementation and/or control the way that visibility labels are stored with cells.
|
||||
See the source file _hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithCustomVisLabService.java_ for one example.
|
||||
|
|
@ -1171,12 +1174,16 @@ hbase> set_auths 'service', [ 'service' ]
|
|||
----
|
||||
|
||||
----
|
||||
gbase> set_auths 'testuser', [ 'test' ]
|
||||
hbase> set_auths 'testuser', [ 'test' ]
|
||||
----
|
||||
|
||||
----
|
||||
hbase> set_auths 'qa', [ 'test', 'developer' ]
|
||||
----
|
||||
|
||||
----
|
||||
hbase> set_auths '@qagroup', [ 'test' ]
|
||||
----
|
||||
====
|
||||
+
|
||||
.Java API
|
||||
|
|
@ -1213,6 +1220,10 @@ hbase> clear_auths 'testuser', [ 'test' ]
|
|||
----
|
||||
hbase> clear_auths 'qa', [ 'test', 'developer' ]
|
||||
----
|
||||
|
||||
----
|
||||
hbase> clear_auths '@qagroup', [ 'test', 'developer' ]
|
||||
----
|
||||
====
|
||||
+
|
||||
.Java API
|
||||
|
|
|
|||
Loading…
Reference in New Issue