Return-Path: <issues-return-251127-archive-asf-public=cust-asf.ponee.io@hbase.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id ABA53200B65
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 13 Jul 2016 00:39:22 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id AA297160A56; Tue, 12 Jul 2016 22:39:22 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 280D8160A87
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 13 Jul 2016 00:39:22 +0200 (CEST)
Received: (qmail 12876 invoked by uid 500); 12 Jul 2016 22:39:21 -0000
Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@hbase.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@hbase.apache.org>
List-Post: <mailto:issues@hbase.apache.org>
List-Id: <issues.hbase.apache.org>
Delivered-To: mailing list issues@hbase.apache.org
Received: (qmail 12754 invoked by uid 99); 12 Jul 2016 22:39:20 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Jul 2016 22:39:20 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id ADAFD2C02AC
	for <issues@hbase.apache.org>; Tue, 12 Jul 2016 22:39:20 +0000 (UTC)
Date: Tue, 12 Jul 2016 22:39:20 +0000 (UTC)
From: "Gary Helmling (JIRA)" <jira@apache.org>
To: issues@hbase.apache.org
Message-ID: <JIRA.12988878.1468360171000.8439.1468363160708@Atlassian.JIRA>
In-Reply-To: <JIRA.12988878.1468360171000@Atlassian.JIRA>
References: <JIRA.12988878.1468360171000@Atlassian.JIRA> <JIRA.12988878.1468360171728@arcas>
Subject: [jira] [Updated] (HBASE-16217) Identify calling user in
 ObserverContext
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Tue, 12 Jul 2016 22:39:22 -0000


     [ https://issues.apache.org/jira/browse/HBASE-16217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gary Helmling updated HBASE-16217:
----------------------------------
    Status: Patch Available  (was: Open)

The attached patch is a first step in eliminating use of UserGroupInformation.doAs() for permissions checking:
* adds a User instance to ObserverContext identifying the calling user for the coprocessor context
* updates AccessController to make use of this for permissions checks
* eliminates use of UserGroupInformation.doAs() for permissions checks in procedure paths, compactions, splits, region merges

> Identify calling user in ObserverContext
> ----------------------------------------
>
>                 Key: HBASE-16217
>                 URL: https://issues.apache.org/jira/browse/HBASE-16217
>             Project: HBase
>          Issue Type: Sub-task
>          Components: Coprocessors, security
>            Reporter: Gary Helmling
>            Assignee: Gary Helmling
>             Fix For: 2.0.0, 1.4.0
>
>         Attachments: HBASE-16217.master.001.patch
>
>
> We already either explicitly pass down the relevant User instance initiating an action through the call path, or it is available through RpcServer.getRequestUser().  We should carry this through in the ObserverContext for coprocessor upcalls and make use of it for permissions checking.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)