search

Huawei-Hadoop / hindex

Secondary Index for HBase
Apache License 2.0
591 stars 286 forks source link

Support secure access to the index tables #43

Open jyothi-mandava opened 10 years ago

jyothi-mandava commented 10 years ago

Secure check is bypassed while accessing the indexing tables currently. Basic implementation can be granting the same ACL as usertable. Need to work on the best solution by considering per cell ACL in HBase >= 0.98 versions

anoopsjohn commented 10 years ago

Thinking more on this..

bq.Basic implementation can be granting the same ACL as usertable Yes but with per cell it becomes more and more complicated. There can be a multi column index with columns over diff CFs itself. Well these CFs can have diff user ACLs or even cells.

So what I am thinking now is creating a new CP impl for handling the AccessControl for the Index table. The new CP can be registered at table level , with highest priority for the Index table. This CP can be added only when the AC is ON for the user table. (AccessController CP is installed for the table)

The AC check on the user table is happened in pre hooks already. Then comes read/write to index regions. We will allow the read/write to index table only from IndexRegionObserver. So in the new CP impl, check whether this call comes from the IndexRegionObserver (Well we can make use of ThreadLocal (?)) If the call is not from IndexRegionObserver just AccessDeny the op. If it comes from, allow it and do a bypass call. This will bypass AC CP. This way we can avoid the patching done in AC code.

jyothi-mandava commented 10 years ago

bq.Yes but with per cell it becomes more and more complicated. There can be a multi column index with columns over diff CFs itself. Well these CFs can have diff user ACLs or even cells Yes index table ACL shouldn't depend on user table CF/cell ACLs. We should be able to find the complete index info from index table for the input and actual filtering based on CF/cell ACL has to happen on user table while forming the result.

Idea of by passing the check if the call is from IndexRegionObserver sounds great. This will be fine for handling the all operations like write/read etc on index table. Coming to MasterObserverImpl, for DDL operations which can happen directly on Index tables like dynamic addition/deletion of indexes ( any operation which does not come through user table), we can allow only admin user ( or allowed users with Access Control for index table) to perform. This will restrict any other user from performing DDL operations on the index table directly.