HBASE-6192 Document ACL matrix in the book (Misty Stanley-Jones)
This commit is contained in:
stack
parent
4678ce09ca
commit
18c5cf9e43
|
|
@ -454,6 +454,7 @@ HColumnDescriptor#setCompressTags(boolean compressTags)
|
|||
Put#add(byte[] family, byte [] qualifier, byte [] value, Tag[] tag)
|
||||
Put#add(byte[] family, byte[] qualifier, long ts, byte[] value, Tag[] tag)
|
||||
]]></programlisting>
|
||||
|
||||
<para> Some of the feature developed using tags are Cell level ACLs and Visibility labels. These
|
||||
are some features that use tags framework and allows users to gain better security features on
|
||||
cell level. </para>
|
||||
|
|
@ -465,6 +466,7 @@ Put#add(byte[] family, byte[] qualifier, long ts, byte[] value, Tag[] tag)
|
|||
linkend="hbase.visibility.labels">Visibility labels</link>
|
||||
</para>
|
||||
</section>
|
||||
|
||||
<section
|
||||
xml:id="hbase.accesscontrol.configuration">
|
||||
<title>Access Control</title>
|
||||
|
|
@ -631,6 +633,7 @@ Put#add(byte[] family, byte[] qualifier, long ts, byte[] value, Tag[] tag)
|
|||
</table>
|
||||
<para> Permissions can be granted in any of the following scopes, though CREATE and ADMIN
|
||||
permissions are effective only at table scope. </para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Table</para>
|
||||
|
|
@ -684,6 +687,650 @@ Put#add(byte[] family, byte[] qualifier, long ts, byte[] value, Tag[] tag)
|
|||
table attribute. Only a single user principal can own a table at a given time. A table owner
|
||||
will have all permissions over a given table. </para>
|
||||
</section>
|
||||
<section>
|
||||
<title>Access Control Matrix</title>
|
||||
<para>The following matrix shows the minimum permission set required to perform operations in
|
||||
HBase. Before using the table, read through the information about how to interpret it.</para>
|
||||
<variablelist>
|
||||
<title>Interpreting the ACL Matrix Table</title>
|
||||
<para>The following conventions are used in the ACL Matrix table:</para>
|
||||
<varlistentry>
|
||||
<term>Scopes</term>
|
||||
<listitem>
|
||||
<para>Permissions are evaluated starting at the widest scope and working to the
|
||||
narrowest scope. A scope corresponds to a level of the data model. From broadest to
|
||||
narrowest, the scopes are as follows::</para>
|
||||
<itemizedlist>
|
||||
<listitem><para>Global</para></listitem>
|
||||
<listitem><para>Namespace (NS)</para></listitem>
|
||||
<listitem><para>Table</para></listitem>
|
||||
<listitem><para>Column Qualifier (CF)</para></listitem>
|
||||
<listitem><para>Column Family (CQ)</para></listitem>
|
||||
<listitem><para>Cell</para></listitem>
|
||||
</itemizedlist>
|
||||
<para>For instance, a permission granted at table level dominates any grants done at the
|
||||
ColumnFamily, ColumnQualifier, or cell level. The user can do what that grant implies
|
||||
at any location in the table. A permission granted at global scope dominates all: the
|
||||
user is always allowed to take that action everywhere.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>Permissions</term>
|
||||
<listitem>
|
||||
<para>Possible permissions include the following:</para>
|
||||
<itemizedlist>
|
||||
<listitem><para>Superuser - a special user that belongs to group "supergroup" and has
|
||||
unlimited access</para></listitem>
|
||||
<listitem><para>Admin (A)</para></listitem>
|
||||
<listitem><para>Create (C)</para></listitem>
|
||||
<listitem><para>Write (W)</para></listitem>
|
||||
<listitem><para>Read (R)</para></listitem>
|
||||
<listitem><para>Execute (X)</para></listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>For the most part, permissions work in an expected way, with the following caveats:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Having Write permission does not imply Read permission. It is possible and sometimes
|
||||
desirable for a user to be able to write data that same user cannot read. One such example
|
||||
is a log-writing process.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Admin is a superset of Create, so a user with Admin permissions does not also need
|
||||
Create permissions to perform an action such as creating a table.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>The <systemitem>hbase:meta</systemitem> table is readable by every user, regardless
|
||||
of the user's other grants or restrictions. This is a requirement for HBase to
|
||||
function correctly.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Users with Create or Admin permissions are granted Write permission on meta regions,
|
||||
so the table operations they are allowed to perform can complete, even if technically
|
||||
the bits can be granted separately in any possible combination.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><code>CheckAndPut</code> and <code>CheckAndDelete</code> operations will fail if the user does not have both
|
||||
Write and Read permission.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><code>Increment</code> and <code>Append</code> operations do not require Read access.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The following table is sorted by the interface that provides each operation. In case the
|
||||
table goes out of date, the unit tests which check for accuracy of permissions can be found
|
||||
in
|
||||
<filename>hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java</filename>,
|
||||
and the access controls themselves can be examined in
|
||||
<filename>hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java</filename>.</para>
|
||||
|
||||
<table
|
||||
frame="all">
|
||||
<title>ACL Matrix</title>
|
||||
<tgroup
|
||||
cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>Interface</entry>
|
||||
<entry>Operation</entry>
|
||||
<entry>Minimum Scope</entry>
|
||||
<entry>Minimum Permission</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry
|
||||
morerows="27">
|
||||
<!-- incrememt this if you add another "master" operation -->
|
||||
<para>Master</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>createTable</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>modifyTable</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Table</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>deleteTable</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Table</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>truncateTable</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Table</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>addColumn</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Table</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>modifyColumn</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Table</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>deleteColumn</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Table</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>disableTable</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Table</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>disableAclTable</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>None</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Not allowed</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>enableTable</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Table</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>move</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>assign</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>unassign</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>regionOffline</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>balance</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>balanceSwitch</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>shutdown</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>stopMaster</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>snapshot</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>clone</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>restore</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>deleteSnapshot</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>createNamespace</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>deleteNamespace</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Namespace</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>modifyNamespace</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Namespace</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>flushTable</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Table</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>getTableDescriptors</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global|Table</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>mergeRegions</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry
|
||||
morerows="25">Region</entry>
|
||||
<!-- Incrememt this if you add any more Region
|
||||
operations -->
|
||||
<entry>preOpen</entry>
|
||||
<entry>Global</entry>
|
||||
<entry>A</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>openRegion</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>preClose</entry>
|
||||
<entry>Global</entry>
|
||||
<entry>A</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>closeRegion</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>preStopRegionServer</entry>
|
||||
<entry>Global</entry>
|
||||
<entry>A</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>stopRegionServer</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>mergeRegions</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>append</entry>
|
||||
<entry>Table</entry>
|
||||
<entry>W</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>delete</entry>
|
||||
<entry>Table|CF|CQ</entry>
|
||||
<entry>W</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>exists</entry>
|
||||
<entry>Table|CF|CQ</entry>
|
||||
<entry>R</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>get</entry>
|
||||
<entry>Table|CF|CQ</entry>
|
||||
<entry>R</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>getClosestRowBefore</entry>
|
||||
<entry>Table|CF|CQ</entry>
|
||||
<entry>R</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>increment</entry>
|
||||
<entry>Table|CF|CQ</entry>
|
||||
<entry>W</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>put</entry>
|
||||
<entry>Table|CF|CQ</entry>
|
||||
<entry>W</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>flush</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>split</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>compact</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A|CW</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>bulkLoadHFile</entry>
|
||||
<entry>Table</entry>
|
||||
<entry>W</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>prepareBulkLoad</entry>
|
||||
<entry>Table</entry>
|
||||
<entry>CW</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>cleanupBulkLoad</entry>
|
||||
<entry>Table</entry>
|
||||
<entry>W</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>checkAndDelete</entry>
|
||||
<entry>Table|CF|CQ</entry>
|
||||
<entry>RW</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>checkAndPut</entry>
|
||||
<entry>Table|CF|CQ</entry>
|
||||
<entry>RW</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>incrementColumnValue</entry>
|
||||
<entry>Table|CF|CQ</entry>
|
||||
<entry>RW</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>ScannerClose</entry>
|
||||
<entry>Table</entry>
|
||||
<entry>R</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>ScannerNext</entry>
|
||||
<entry>Table</entry>
|
||||
<entry>R</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>ScannerOpen</entry>
|
||||
<entry>Table|CQ|CF</entry>
|
||||
<entry>R</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>Endpoint</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>invoke</para>
|
||||
</entry>
|
||||
<entry>Endpoint</entry>
|
||||
<entry>
|
||||
<para>X</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry
|
||||
morerows="3">
|
||||
<para>AccessController</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>grant</para>
|
||||
</entry>
|
||||
<entry>Global|Table|NS</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>revoke</para>
|
||||
</entry>
|
||||
<entry>Global|Table|NS</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>userPermissions</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global|Table|NS</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>
|
||||
<para>checkPermissions</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>Global|Table|NS</para>
|
||||
</entry>
|
||||
<entry>
|
||||
<para>A</para>
|
||||
</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Server-side Configuration for Access Control</title>
|
||||
|
|
|
|||
Loading…
Reference in New Issue