HBase security label support

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

HBase security label support

Mike Thomsen
Are there any plans for implementing HBase security labels?

Thanks,

Mike
Reply | Threaded
Open this post in threaded view
|

Re: HBase security label support

Bryan Bende
Mike,

I don't know of any work being done or any JIRAs that exist for this,
but seems like it would be good to support them. Most likely its just
that no one has asked for it yet.

I'd go ahead and create a JIRA, or if you were planning to incorporate
it into the HBase record processors then that sounds good too.

Thanks,

Bryan

On Thu, Jun 29, 2017 at 1:03 PM, Mike Thomsen <[hidden email]> wrote:
> Are there any plans for implementing HBase security labels?
>
> Thanks,
>
> Mike
Reply | Threaded
Open this post in threaded view
|

Re: HBase security label support

Mike Thomsen
I started working on this and have PutHBaseCell, PutHBaseJSON and
FetchHBaseRow working with it. I'm following a loose convention that goes
like this:

1. Option of sane default for visibility boolean string where appropriate,
but the string is not required.
2. User defines the list of tokens that will be used for the scans and gets
so they can control how much of the acceptable range is used (this will be
customizable with EL).
3. For JSON data, attributes that follow visibility.COL_FAM.COL_QUAL =
X&(Y|Z) is how it'll let the user define different statements for each
column.
4. For records, I plan to put a record path property where a user can
specify a simple Map<String> in Avro that would provide the equivalent of
#3 for records, but would not be added to the Puts.

Our environment doesn't have Kerberos enabled. We're just using OS users
and manual set_auths to define who can see what in HBase. I don't expect
it'll make a difference to NiFi for users that have Kerberos set up
properly.

Thanks,

Mike

On Thu, Jun 29, 2017 at 1:25 PM, Bryan Bende <[hidden email]> wrote:

> Mike,
>
> I don't know of any work being done or any JIRAs that exist for this,
> but seems like it would be good to support them. Most likely its just
> that no one has asked for it yet.
>
> I'd go ahead and create a JIRA, or if you were planning to incorporate
> it into the HBase record processors then that sounds good too.
>
> Thanks,
>
> Bryan
>
> On Thu, Jun 29, 2017 at 1:03 PM, Mike Thomsen <[hidden email]>
> wrote:
> > Are there any plans for implementing HBase security labels?
> >
> > Thanks,
> >
> > Mike
>