Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 920411031B for ; Wed, 25 Dec 2013 08:45:58 +0000 (UTC) Received: (qmail 58389 invoked by uid 500); 25 Dec 2013 08:45:56 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 58306 invoked by uid 500); 25 Dec 2013 08:45:55 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 58284 invoked by uid 99); 25 Dec 2013 08:45:52 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Dec 2013 08:45:52 +0000 Date: Wed, 25 Dec 2013 08:45:52 +0000 (UTC) From: "Andrew Purtell (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-6104) Require EXEC permission to call coprocessor endpoints MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-6104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13856548#comment-13856548 ] Andrew Purtell commented on HBASE-6104: --------------------------------------- I'm not able to reproduce this locally with -Dhadoop.profile=1.1 and Oracle Java build 1.7.0_21-b11. I see where in TestAccessController#verifyDenied someone has added code attempting to deal with UTEs with AccessDeniedException as a nested cause. Although it would seem the code intends to handle the exception reported by the failed test here: {code} java.lang.reflect.UndeclaredThrowableException: Unknown exception in doAs Caused by: java.security.PrivilegedActionException: com.google.protobuf.ServiceException: Error calling method PingService.noop Caused by: com.google.protobuf.ServiceException: Error calling method PingService.noop Caused by: org.apache.hadoop.hbase.security.AccessDeniedExceptionorg.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=UserB, scope=testCoprocessorExec, family=, action=EXEC) Caused by: org.apache.hadoop.hbase.ipc.RemoteWithExtrasException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=UserB, scope=testCoprocessorExec, family=, action=EXEC) ... {code} it didn't work properly. > Require EXEC permission to call coprocessor endpoints > ----------------------------------------------------- > > Key: HBASE-6104 > URL: https://issues.apache.org/jira/browse/HBASE-6104 > Project: HBase > Issue Type: New Feature > Components: Coprocessors, security > Reporter: Gary Helmling > Assignee: Andrew Purtell > Fix For: 0.98.0, 0.99.0 > > Attachments: 6104.patch, 6104.patch, 6104.patch, 6104.patch, 6104.patch > > > The EXEC action currently exists as only a placeholder in access control. It should really be used to enforce access to coprocessor endpoint RPC calls, which are currently unrestricted. > How the ACLs to support this would be modeled deserves some discussion: > * Should access be scoped to a specific table and CoprocessorProtocol extension? > * Should it be possible to grant access to a CoprocessorProtocol implementation globally (regardless of table)? > * Are per-method restrictions necessary? > * Should we expose hooks available to endpoint implementors so that they could additionally apply their own permission checks? Some CP endpoints may want to require READ permissions, others may want to enforce WRITE, or READ + WRITE. > To apply these kinds of checks we would also have to extend the RegionObserver interface to provide hooks wrapping HRegion.exec(). -- This message was sent by Atlassian JIRA (v6.1.5#6160)