hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anoop Sam John (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
Date Thu, 21 Jan 2016 12:36:39 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15110529#comment-15110529
] 

Anoop Sam John commented on HBASE-15132:
----------------------------------------

Implement new method in BaseMasterAndRegionObserver also so that don't have to do dummy impl
in VisibilityController.
We don't want a post hook?
bq.Call {@link org.apache.hadoop.hbase.coprocessor.ObserverContext#bypass()} to skip the merge.
Doc says bypass is having effect but the code is not considering that.
{code}
if (User.isHBaseSecurityEnabled(master.getConfiguration())) {
531	      User user = RpcServer.getRequestUser();
532	      try {
533	        user.getUGI().doAs(new PrivilegedExceptionAction<Void>() {
534	          @Override
535	          public Void run() throws Exception {
536	            master.cpHost.preMerge(regionInfoA, regionInfoB);
537	            return null;
538	          }
539	        });
{code}
When a hook is added, it must be called irrespective of security is enabled or not.
This flow will be executed by the normal RPC user who called merge() right? Still do we need
this doAs way?


> Master region merge RPC should authorize user request
> -----------------------------------------------------
>
>                 Key: HBASE-15132
>                 URL: https://issues.apache.org/jira/browse/HBASE-15132
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>         Attachments: HBASE-15132.v1.patch
>
>
> The normal flow for region merge is:
> 1. client sends a master RPC for dispatch merge regions
> 2. master moves the regions to the same regionserver
> 3. master calls mergeRegions RPC on the regionserver. 
> For user initiated region merge, MasterRpcServices#dispatchMergingRegions() is called
by HBaseAdmin.
> There is no coprocessor invocation in step 1.
> Step 3 is carried out in the "hbase" user context.
> This leaves potential security hole - any user without proper authorization can merge
regions of any table.
> Thanks to Enis who spotted this flaw first.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message