Looking at RegionServerObserver, it only defines a single method -- preStopRegionServer(). AccessController mediates access on all normal client operations on data, which happen on regions and are only represented in RegionObserver. So what it sounds like you're asking is if RegionServerObserver should duplicate in some form pre/post hooks for the operations already represented in RegionObserver? I think there are a couple of problems with this approach:
* confusion in the API through duplicate representation of operations at multiple layers * both AccessController and TokenProvider function as endpoints and coprocessor RPC is only supported against RegionObservers (at the moment) An alternate approach would be to implement AccessController as something like an RPC filter at the RPC server layer. This would again allow loading only a single instance per server, but you lose a lot of context in the execution of each operation that allows AccessController to make access control decisions (things like for wildcard gets or scans the set of defined column families is filled in). Without the full execution context, I think you wind up doing a lot more work in AccessController and lose some flexibility in the future. Not everything is loaded for every region either. The cached AccessControlLists set of ACLs is shared per-regionserver in a singleton. I can see the draw of only having a single AccessController per server, but I think the current design has actually worked out well. The fact that RegionServerObservers are not represented in HRegionServer.getCoprocessors() seems like a bug that was missed when they were added. On Tue, May 14, 2013 at 7:13 PM, Matteo Bertozzi <[email protected]>wrote: > Looking at the coprocessor load code, and at the documentation... > I've noticed that coprocessors like AccessController, TokenProvider, ... > are region coprocessors. > > This means that for each region there's a new instance of TokenProvider, > AccessController, ... > > Is there a reason to not have them as RegionServer coprocessors (loaded > only once per RS)? > > also the HRegionServer.getCoprocessors() seems to not print the > regionserver coprocessors but just the hlog + region coprocessors. > > Matteo >
