Bryan Beaudreault created HBASE-26770:
-----------------------------------------
Summary: HBase client does not honor UserGroupInformation.doAs
Key: HBASE-26770
URL: https://issues.apache.org/jira/browse/HBASE-26770
Project: HBase
Issue Type: Bug
Reporter: Bryan Beaudreault
Despite passing necessary UserInformation to the RegionServer, which does
authorize the request, the async and block clients do not work correctly with
the following access pattern:
{code:java}
Connection connection = ConnectionFactory.createConnection();
Table table = connection.getTable(name);
UserGroupInformation proxy = UserGroupInformation.createProxyUser(
"testUser",
UserGroupInformation.getCurrentUser()
);
Result result = proxy.doAs(() -> table.get(get));{code}
In this case, you would expect the get to be executed as "testUser", but
instead it is executed as whichever user created the initial connection. This
can be verified by checking the security logger on the RegionServer side.
The reason for this is we stash the current User onto the actual
ConnectionImplementation, and we pass that through all calls in the stack when
executing an RPC. I think the appropriate way would be to replace usage of this
stashed User with a call to UserGroupInformation.getCurrentUser() in
RpcConnection, where sasl is negotiated and headers generated.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
