hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-19318) MasterRpcServices#getSecurityCapabilities explicitly checks for the HBase AccessController implementation
Date Wed, 22 Nov 2017 18:40:00 GMT

    [ https://issues.apache.org/jira/browse/HBASE-19318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16263108#comment-16263108
] 

Josh Elser commented on HBASE-19318:
------------------------------------

bq. Ya I dont see we allow plugging in Authorization. AC implemented as CP and so Ranger or
any other could do customization.

Ok, so this is the source of our confusion. I strongly disagree with your assertion. I'm a
little worried if this is an opinion that a majority of folks entertains.

bq.  Also I believe the custom ACL impl is dealing with acl table directly

No, Ranger does not interact with the hbase:acl table at all.

bq. Sorry am not saying Ranger is unsupported by HBase

That's the thing though: you are. Your opinions that you're stating here at explicitly stating
that you the interface(s) that Ranger is using should not exist.

bq.  They using a non exposed thing now may be because we really not exposing some thing which
we must or it is wrong usage from user end. If the former , we have to correct ourselves first.
That is the whole point am trying to convey.

Doing more abstraction at this point to properly enable this "pluggability" is fine (I'm not
disagreeing with the goals you are trying to achieve), but we cannot just say "don't do that"
when we have no alternative. I don't see that being a trivial change or one we would want
to shove into 2.0 at this point.

> MasterRpcServices#getSecurityCapabilities explicitly checks for the HBase AccessController
implementation
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-19318
>                 URL: https://issues.apache.org/jira/browse/HBASE-19318
>             Project: HBase
>          Issue Type: Bug
>          Components: master, security
>            Reporter: Sharmadha Sainath
>            Assignee: Josh Elser
>            Priority: Critical
>             Fix For: 1.4.0, 1.3.2, 1.2.7, 2.0.0-beta-1
>
>
> Sharmadha brought a failure to my attention trying to use Ranger with HBase 2.0 where
the {{grant}} command was erroring out unexpectedly. The cluster had the Ranger-specific coprocessors
deployed, per what was previously working on the HBase 1.1 line.
> After some digging, I found that the the Master is actually making a check explicitly
for a Coprocessor that has the name {{org.apache.hadoop.hbase.security.access.AccessController}}
(short name or full name), instead of looking for a deployed coprocessor which can be assigned
to {{AccessController}} (which is what Ranger does). We have the CoprocessorHost methods to
do the latter already implemented; it strikes me that we just accidentally used the wrong
method in MasterRpcServices.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message