From issues-return-7475-archive-asf-public=cust-asf.ponee.io@phoenix.apache.org Mon Jun 10 00:59:02 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id D7477180670 for ; Mon, 10 Jun 2019 02:59:01 +0200 (CEST) Received: (qmail 36806 invoked by uid 500); 10 Jun 2019 00:59:01 -0000 Mailing-List: contact issues-help@phoenix.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@phoenix.apache.org Delivered-To: mailing list issues@phoenix.apache.org Received: (qmail 36796 invoked by uid 99); 10 Jun 2019 00:59:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Jun 2019 00:59:01 +0000 Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 62F15E2AD2 for ; Mon, 10 Jun 2019 00:59:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 23CF7245A4 for ; Mon, 10 Jun 2019 00:59:00 +0000 (UTC) Date: Mon, 10 Jun 2019 00:59:00 +0000 (UTC) From: "Lars Hofhansl (JIRA)" To: issues@phoenix.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (PHOENIX-5269) PhoenixAccessController should use AccessChecker instead of AccessControlClient for permission checks MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/PHOENIX-5269?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D16= 859627#comment-16859627 ]=20 Lars Hofhansl edited comment on PHOENIX-5269 at 6/10/19 12:58 AM: ------------------------------------------------------------------ # Why is the=C2=A0PermissionsCacheIT different between 4.x-HBase-1.4 and 4.= x-HBase-1.5? (Test class has a parameter in 1.4 but not 1.5) # The PermissionsCacheIT has been failing since this change in 4.x-HBase-1.= 4 and nobody noticed(!) And it fails exactly because there's no no-paramete= r constructor. # Why is this not needed in 4.x-HBase-1.3? # Where's the master patch? This is confusing on many fronts. :) Please do not 1/2 check-in changes. Now we have a 1/2 open jira with change= s in some branches and not in others, we can now neither close this jira, n= or can we leave it open. In 4.x-HBase-1.4 let's either fix the test or revert. was (Author: lhofhansl): # Why is the=C2=A0PermissionsCacheIT different between 4.x-HBase-1.4 and 4.= x-HBase-1.5? (Test class has a parameter in 1.4 but not 1.5) # The PermissionsCacheIT has been failing since this change in 4.x-HBase-1.= 4 and nobody noticed(!) And it fails exactly because there's no no-paramete= r constructor. # Why is this not needed in 4.x-HBase-1.3? # Where's the master patch? This is confusing on many fronts. :) Please do not 1/2 check-in changes. Now we have a 1/2 open jira with change= s in some branches and not in other, we neither close this jira, nor can we= leave it open. In 4.x-HBase-1.4 let's either fix the test or revert. > PhoenixAccessController should use AccessChecker instead of AccessControl= Client for permission checks > -------------------------------------------------------------------------= ---------------------------- > > Key: PHOENIX-5269 > URL: https://issues.apache.org/jira/browse/PHOENIX-5269 > Project: Phoenix > Issue Type: Bug > Affects Versions: 4.14.1, 4.14.2 > Reporter: Andrew Purtell > Assignee: Kiran Kumar Maturi > Priority: Critical > Fix For: 4.15.0, 4.14.2 > > Attachments: PHOENIX-5269-4.14-HBase-1.4.patch, PHOENIX-5269-4.14= -HBase-1.4.v1.patch, PHOENIX-5269-4.14-HBase-1.4.v2.patch, PHOENIX-5269.4.1= 4-HBase-1.4.v3.patch, PHOENIX-5269.4.14-HBase-1.4.v4.patch, PHOENIX-5269.4.= x-HBase-1.4.v1.patch, PHOENIX-5269.4.x-HBase-1.5.v1.patch > > > PhoenixAccessController should use AccessChecker instead of AccessControl= Client for permission checks.=20 > In HBase, every RegionServer's AccessController maintains a local cache o= f permissions. At startup time they are initialized from the ACL table. Whe= never the ACL table is changed (via grant or revoke) the AC on the ACL tabl= e "broadcasts" the change via zookeeper, which updates the cache. This is p= erformed and managed by TableAuthManager but is exposed as API by AccessChe= cker. AccessChecker is the result of a refactor that was committed as far b= ack as branch-1.4 I believe. > Phoenix implements its own access controller and is using the client API = AccessControlClient instead. AccessControlClient does not cache nor use the= ZK-based cache update mechanism, because it is designed for client side us= e. > The use of AccessControlClient instead of AccessChecker is not scalable. = Every permissions check will trigger a remote RPC to the ACL table, which i= s generally going to be a single region hosted on a single RegionServer.=20 -- This message was sent by Atlassian JIRA (v7.6.3#76005)