hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Appy (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-19483) Add proper privilege check for rsgroup commands
Date Wed, 13 Dec 2017 23:31:00 GMT

    [ https://issues.apache.org/jira/browse/HBASE-19483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16290084#comment-16290084

Appy commented on HBASE-19483:

At first I thought that [~stack]'s suggestion was great, but the current approach was fine
too, after all, it was just exposing RSGroupInfo which was public.
But then looking around, found {{RSGroupAdminEndpoint implements MasterCoprocessor}}. RSGroupAdminServer
is itself a coprocessor in a separate package! No no to adding rsgroup hooks in hbase-server.

Looking around more, the absolute proper way to do this would be:
1) moving require*() fns to a new class AccessChecker (contains TableAuthManager) in hbase-server
2) Create it's instance from RSGroupAdminServer
Then directly do auth checks from within rsgroup code.

Doesn't look much work. What do you think?
(If we do go this path, would suggest doing AC change and RSGroup change in separate jiras)

> Add proper privilege check for rsgroup commands
> -----------------------------------------------
>                 Key: HBASE-19483
>                 URL: https://issues.apache.org/jira/browse/HBASE-19483
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Guangxu Cheng
>             Fix For: 1.4.1, 1.5.0, 2.0.0-beta-1
>         Attachments: HBASE-19483.master.001.patch, HBASE-19483.master.002.patch, HBASE-19483.master.003.patch
> Currently list_rsgroups command can be executed by any user.
> This is inconsistent with other list commands such as list_peers and list_peer_configs.
> We should add proper privilege check for list_rsgroups command.
> privilege check should be added for get_table_rsgroup / get_server_rsgroup / get_rsgroup

This message was sent by Atlassian JIRA

View raw message