hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Srikanth Srungarapu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14169) API to refreshSuperUserGroupsConfiguration
Date Thu, 30 Jul 2015 23:41:04 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14648498#comment-14648498
] 

Srikanth Srungarapu commented on HBASE-14169:
---------------------------------------------

Agree with Matteo's point. And also, allowing global admin to refresh super user groups can
introduce vulnerability as it introduces the possibility for global admin to gain super user
privileges.

{code}
requirePermission("refreshSuperUserGroupsConf", Action.ADMIN);
{code}

Also, we have new class {{SuperUsers}} which encapsulates the code related to super user configurations.
You might want to move some changes over to there.

> API to refreshSuperUserGroupsConfiguration
> ------------------------------------------
>
>                 Key: HBASE-14169
>                 URL: https://issues.apache.org/jira/browse/HBASE-14169
>             Project: HBase
>          Issue Type: New Feature
>            Reporter: Francis Liu
>            Assignee: Francis Liu
>         Attachments: HBASE-14169.patch
>
>
> For deployments that use security. User impersonation (AKA doAs()) is needed for some
services (ie Stargate, thriftserver, Oozie, etc). Impersonation definitions are defined in
a xml config file and read and cached by the ProxyUsers class. Calling this api will refresh
cached information, eliminating the need to restart the master/regionserver whenever the configuration
is changed. 
> Implementation just adds another method to AccessControlService.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message