We have had this discussion before about other list* methods and we have
sometimes decided to restrict them to ADMIN. The reason for that was the
information returned by the method might leak sensitive information. For
example, listing table descriptors will include all arbitrary and
potentially sensitive user set attributes in the schema.
I think here the information listed is not sensitive in the same way. Host
cluster membership, and especially decommissioned hosts, is not secret.
Compatibility should be fine. Someone granted ADMIN permission will still
be able to invoke this method if the security check is relaxed.
+1
On Tue, Feb 27, 2024 at 8:32 AM Viraj Jasani <vjas...@apache.org> wrote:
> +1 for relaxing the permission. While I haven't gone through the history,
> it seems that requiring ADMIN for listDecomm operation might be an
> oversight.
>
> Unless it is really big deal from compatibility viewpoint, I think we
> should be fine relaxing this.
>
>
>
> On Mon, Feb 26, 2024 at 8:55 PM Rushabh Shah
> <rushabh.s...@salesforce.com.invalid> wrote:
>
> > Hi hbase-dev,
> >
> > Why do we need ADMIN permissions for
> > AccessController#preListDecommissionedRegionServers
> > API ?
> >
> > From Phoenix, we are calling Admin#getRegionServers(true) where the
> > argument excludeDecommissionedRS is set to true. [1]
> > If excludeDecommissionedRS is set to true and if we have
> > AccessController co-proc
> > attached, it requires ADMIN permissions to execute
> > listDecommissionedRegionServers RPC. [2]
> > Snippet below
> >
> > @Override
> > public void
> >
> preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment>
> > ctx)
> > throws IOException {
> > requirePermission(ctx, "listDecommissionedRegionServers",
> > Action.ADMIN);
> > }
> >
> > I understand that we need ADMIN permissions
> > for preDecommissionRegionServers and preRecommissionRegionServers because
> > it changes the membership of regionservers but I don’t see any need for
> > ADMIN permissions for listDecommissionedRegionServers.
> >
> > Does anyone have objections if we relax the requirement to READ
> permissions
> > instead of ADMIN permissions?
> >
> > I have created HBASE-28391
> > <https://issues.apache.org/jira/browse/HBASE-28391> to implement this.
> > Thank you !
> >
> >
> > 1.
> >
> >
> https://github.com/apache/hbase/blob/branch-2.5/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Admin.java#L1721-L1730
> >
> > 2.
> >
> >
> https://github.com/apache/hbase/blob/branch-2.5/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L1205-L1207
> >
>
--
Best regards,
Andrew
Unrest, ignorance distilled, nihilistic imbeciles -
It's what we’ve earned
Welcome, apocalypse, what’s taken you so long?
Bring us the fitting end that we’ve been counting on
- A23, Welcome, Apocalypse
