diff --git a/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb b/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb index 7bf4252dc75..8553fa64713 100644 --- a/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb +++ b/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb @@ -20,12 +20,13 @@ module Shell class ClearAuths < Command def help return <<-EOF -Add a set of visibility labels for an user that has to removed -Syntax : clear_auths 'user1',[label1, label2] +Clear visibility labels from a user or group +Syntax : clear_auths 'user',[label1, label2] For example: hbase> clear_auths 'user1', ['SECRET','PRIVATE'] + hbase> clear_auths '@group1', ['SECRET','PRIVATE'] EOF end diff --git a/hbase-shell/src/main/ruby/shell/commands/get_auths.rb b/hbase-shell/src/main/ruby/shell/commands/get_auths.rb index 2bc3e09a61a..1b758ef9495 100644 --- a/hbase-shell/src/main/ruby/shell/commands/get_auths.rb +++ b/hbase-shell/src/main/ruby/shell/commands/get_auths.rb @@ -20,12 +20,13 @@ module Shell class GetAuths < Command def help return <<-EOF -Get the visibility labels set for a particular user -Syntax : get_auths 'user1' +Get the visibility labels set for a particular user or group +Syntax : get_auths 'user' For example: hbase> get_auths 'user1' + hbase> get_auths '@group1' EOF end diff --git a/hbase-shell/src/main/ruby/shell/commands/set_auths.rb b/hbase-shell/src/main/ruby/shell/commands/set_auths.rb index 66797190eb2..4a52eb0ef7d 100644 --- a/hbase-shell/src/main/ruby/shell/commands/set_auths.rb +++ b/hbase-shell/src/main/ruby/shell/commands/set_auths.rb @@ -20,12 +20,13 @@ module Shell class SetAuths < Command def help return <<-EOF -Add a set of visibility labels for an user -Syntax : set_auths 'user1',[label1, label2] +Add a set of visibility labels for a user or group +Syntax : set_auths 'user',[label1, label2] For example: hbase> set_auths 'user1', ['SECRET','PRIVATE'] + hbase> set_auths '@group1', ['SECRET','PRIVATE'] EOF end diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc index ae74661c5b7..25153a5f2b8 100644 --- a/src/main/asciidoc/_chapters/security.adoc +++ b/src/main/asciidoc/_chapters/security.adoc @@ -1057,6 +1057,9 @@ The default plugin passes through labels specified in Authorizations added to th When the client passes labels for which the user is not authenticated, the default plugin drops them. You can pass a subset of user authenticated labels via the `Get#setAuthorizations(Authorizations(String,...))` and `Scan#setAuthorizations(Authorizations(String,...));` methods. +Groups can be granted visibility labels the same way as users. Groups are prefixed with an @ symbol. When checking visibility labels of a user, the server will include the visibility labels of the groups of which the user is a member, together with the user's own labels. +When the visibility labels are retrieved using API `VisibilityClient#getAuths` or Shell command `get_auths` for a user, we will return labels added specifically for that user alone, not the group level labels. + Visibility label access checking is performed by the VisibilityController coprocessor. You can use interface `VisibilityLabelService` to provide a custom implementation and/or control the way that visibility labels are stored with cells. See the source file _hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithCustomVisLabService.java_ for one example. @@ -1171,12 +1174,16 @@ hbase> set_auths 'service', [ 'service' ] ---- ---- -gbase> set_auths 'testuser', [ 'test' ] +hbase> set_auths 'testuser', [ 'test' ] ---- ---- hbase> set_auths 'qa', [ 'test', 'developer' ] ---- + +---- +hbase> set_auths '@qagroup', [ 'test' ] +---- ==== + .Java API @@ -1213,6 +1220,10 @@ hbase> clear_auths 'testuser', [ 'test' ] ---- hbase> clear_auths 'qa', [ 'test', 'developer' ] ---- + +---- +hbase> clear_auths '@qagroup', [ 'test', 'developer' ] +---- ==== + .Java API