HBASE-10211 - Improve AccessControl documentation in hbase book (Ram)
git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1553366 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
ramkrishna
parent
6acf3bf483
commit
ce61a9f638
|
|
@ -484,7 +484,7 @@
|
|||
</para>
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Row-level or per value (cell): This would require broader changes for storing the ACLs inline with rows. It is a future goal.</para>
|
||||
<para>Row-level or per value (cell): Using Tags in HFile V3</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Push down of file ownership to HDFS: HBase is not designed for the case where files may have different permissions than the HBase system principal. Pushing file ownership down into HDFS would necessitate changes to core code. Also, while HDFS file ownership would make applying quotas easy, and possibly make bulk imports more straightforward, it is not clear that it would offer a more secure setup.</para>
|
||||
|
|
@ -670,6 +670,47 @@ Access control mechanisms are mature and fairly standardized in the relational d
|
|||
]]></programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Cell level Access Control using Tags</title>
|
||||
<para>
|
||||
Prior to HBase 0.98 access control was restricted to table and column family level. Thanks to tags feature in 0.98 that allows Access control on a cell level.
|
||||
The existing Access Controller coprocessor helps in achieving cell level access control also.
|
||||
For details on configuring it refer to <link linkend='hbase.accesscontrol.configuration'>Access Control</link> section.
|
||||
</para>
|
||||
<para>
|
||||
The ACLs can be specified for every mutation using the APIs
|
||||
</para>
|
||||
<programlisting><![CDATA[
|
||||
Mutation.setACL(String user, Permission perms)
|
||||
Mutation.setACL(Map<String, Permission> perms)
|
||||
]]></programlisting>
|
||||
<para>
|
||||
For example, to provide read permission to an user ‘user1’ then
|
||||
</para>
|
||||
<programlisting><![CDATA[
|
||||
put.setACL(“user1”, new Permission(Permission.Action.READ))
|
||||
]]></programlisting>
|
||||
<para>
|
||||
Generally the ACL applied on the table and CF takes precedence over Cell level ACL. In order to make the cell level ACL to take precedence use the following API,
|
||||
</para>
|
||||
<programlisting><![CDATA[
|
||||
Mutation.setACLStrategy(boolean cellFirstStrategy)
|
||||
]]></programlisting>
|
||||
<para>
|
||||
Please note that inorder to use this feature, HFile V3 version should be turned on.
|
||||
</para>
|
||||
<programlisting><![CDATA[
|
||||
<property>
|
||||
<name>hfile.format.version</name>
|
||||
<value>3</value>
|
||||
</property>
|
||||
]]></programlisting>
|
||||
<para>
|
||||
Note that deletes with ACLs do not have any effect.
|
||||
To keep things simple the ACLs applied on the current Put does not change the ACL of any previous Put in the sense
|
||||
that the ACL on the current put does not affect older versions of Put for the same row.
|
||||
</para>
|
||||
</section>
|
||||
<section><title>Shell Enhancements for Access Control</title>
|
||||
<para>
|
||||
The HBase shell has been extended to provide simple commands for editing and updating user permissions. The following commands have been added for access control list management:
|
||||
|
|
|
|||
Loading…
Reference in New Issue