hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anoop Sam John (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HBASE-19318) MasterRpcServices#getSecurityCapabilities explicitly checks for the HBase AccessController implementation
Date Wed, 22 Nov 2017 16:41:00 GMT

    [ https://issues.apache.org/jira/browse/HBASE-19318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16262895#comment-16262895
] 

Anoop Sam John edited comment on HBASE-19318 at 11/22/17 4:40 PM:
------------------------------------------------------------------

Ranger is extending our AccessController?  Is that allowed? !!  I dont see AC is exposed to
CPs. It is LP but just for Conig. Means we expose the name as such for users to config in
the xml.


was (Author: anoop.hbase):
Ranger is extending our AccessController?  Is that allowed.  I dont see AC is exposed to CPs.
It is LP but just for Conig. Means we expose the name as such for users to config in the xml.

> MasterRpcServices#getSecurityCapabilities explicitly checks for the HBase AccessController
implementation
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-19318
>                 URL: https://issues.apache.org/jira/browse/HBASE-19318
>             Project: HBase
>          Issue Type: Bug
>          Components: master, security
>            Reporter: Sharmadha Sainath
>            Assignee: Josh Elser
>            Priority: Critical
>             Fix For: 1.4.0, 1.3.2, 1.2.7, 2.0.0-beta-1
>
>
> Sharmadha brought a failure to my attention trying to use Ranger with HBase 2.0 where
the {{grant}} command was erroring out unexpectedly. The cluster had the Ranger-specific coprocessors
deployed, per what was previously working on the HBase 1.1 line.
> After some digging, I found that the the Master is actually making a check explicitly
for a Coprocessor that has the name {{org.apache.hadoop.hbase.security.access.AccessController}}
(short name or full name), instead of looking for a deployed coprocessor which can be assigned
to {{AccessController}} (which is what Ranger does). We have the CoprocessorHost methods to
do the latter already implemented; it strikes me that we just accidentally used the wrong
method in MasterRpcServices.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message