hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reid Chan <reidddc...@outlook.com>
Subject Re: Equivalent of Row Level Security for HBase
Date Tue, 03 Sep 2019 02:44:59 GMT

HBase has `Cell` level ACL which is much more fine-grained than `Row` level, I think it may
suit your need.

There's also one feature --- Visibility Labels: http://hbase.apache.org/book.html#hbase.visibility.labels,
you might want to take a shot.


Best regards,

From: Simon Mottram <Simon.Mottram@cucumber.co.nz>
Sent: 03 September 2019 08:59
To: user@hbase.apache.org
Subject: Equivalent of Row Level Security for HBase


I'm a Java developer, very new to HBase and could use some directions

I'm working on a project where we have a combination of sparse
data columns (1000's) with added headaches of multi-tenancy/row level
security. Initially the database will be small but in the near/medium
future will expand to millions. Hbase looks great for sparse nature of
the the back end and looks perfect for the expected data load but I
need to check that we can support the customer's
security requirements.

Shared Data
Each record in the table must be secured but it could be multiple
tenants for a record.  Think 'shared' data.

So for example if you had 3 records

record1, some data columns
record2, some data columns, not all shared with record1
record3, some data columns, not all same as 1 and 2

We need
userGroup1 to be able to see record1 and record2
userGroup2 to be able to see record2 and record3

How would you handle this in HBase?  Off the top of my head We could:

1) use a Table per user group and do UNION queries, I have strong
reservations about performance here as a fundamental reason for the
system is to perform aggregations such as averages, standard deviations
etc across the data.  Think userGroups = bunches of
statisticians/scientists. Also the sparse data structure will make
unions problematic I think.

2) 'Row' level security. Can we customise the ACL system to allow the
equivalent of multiple tenants per record?

3) None of the above ?

Best Regards


View raw message