hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Yu <yuzhih...@gmail.com>
Subject Re: CreateTableHandler: postCreateTableHanler coprocessor runs as RemoteRpcUser privileged action.
Date Fri, 08 May 2015 23:40:19 GMT
bq. we should release note or document this behavior

+1

On Fri, May 8, 2015 at 4:31 PM, Srikanth Srungarapu <srikanth235@gmail.com>
wrote:

> Had offline chat with Matteo on this. To summarize:
> - Prior to proc-v2 changes (i.e. 1.0 and below), except for the
> CreateTableHandler, all other handlers are running as system user.
> - With the proc-v2 changes, all the handlers will be running as user
> embedded in rpc context, if it is not null. Else we fall back to system
> user. You can take a look at the code here
> <
> https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/master/procedure/MasterProcedureEnv.java#L92
> >
> .
>
> I'm more leaning towards keeping the proc-v2 changes, as it brings unified
> semantics and the user has provision for simulating other users by using
> methods in ConnectionFactory or runAs. May be, we should release note or
> document this behavior?
>
>
> On Mon, May 4, 2015 at 10:42 PM, abhishek kr <abhishek.kr@huawei.com>
> wrote:
>
> > sure, created JIRA HBASE-13619.
> >
> > Regards,
> > Abhishek
> >
> > -----Original Message-----
> > From: Andrew Purtell [mailto:apurtell@apache.org]
> > Sent: 04 May 2015 22:41
> > To: dev@hbase.apache.org
> > Subject: Re: CreateTableHandler: postCreateTableHanler coprocessor runs
> as
> > RemoteRpcUser privileged action.
> >
> > I think at this point we can't change the behavior, that would be a
> > regression. Could be better documented. We can include advice on using
> > User.runAsLoginUser.
> > Would you like to file an issue for the documentation improvement?
> >
> >
> > On Mon, May 4, 2015 at 5:14 AM, abhishek kr <abhishek.kr@huawei.com>
> > wrote:
> >
> > > Hi,
> > > We have a custom written coprocessor for CreateTableHandler which does
> > > some hdfs related stuff in postCreateTableHandler, and it was working
> > > fine till HBASE-11886 got merged. It seems that post HBASE-11886
> > > merge, our coprocessor code is getting executed with remote rpc user
> > > privileges instead of master privileges:
> > > //  --START--
> > >     this.activeUser.runAs(new PrivilegedExceptionAction<Void>() {
> > >           @Override
> > >           public Void run() throws Exception {
> > >             cpHost.postCreateTableHandler(hTableDescriptor,
> newRegions);
> > >             return null;
> > >           }
> > >         });
> > > // --END--
> > >
> > > As per HBASE-11886,  these changes were done to handle table ACL
> > > related issue ,  however it does this by reducing the default
> > > privileges coprocessor runs under.
> > > We can get around this by using User.runAsLoginUser in our coprocessor
> > > code but I think  by default coprocessors should continue to run with
> > > master/region server identity and HBASE-11886 can be handled in some
> > > other way, for example using InheritedThreadLocal for RequestContext,
> > > as suggested in comments by Anoop in HBASE-11886,  pls let us know ur
> > > views on this, thanks.
> > >
> > >
> > > Regards,
> > > Abhishek
> > >
> > >
> >
> >
> > --
> > Best regards,
> >
> >    - Andy
> >
> > Problems worthy of attack prove their worth by hitting back. - Piet Hein
> > (via Tom White)
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message