[jira] [Created] (HBASE-28508) Remove the need for ADMIN permissions for RSRpcServices#execRegionServerService

Tue, 09 Apr 2024 15:51:07 -0700 

Rushabh Shah created HBASE-28508:
------------------------------------

             Summary: Remove the need for ADMIN permissions for 
RSRpcServices#execRegionServerService
                 Key: HBASE-28508
                 URL: https://issues.apache.org/jira/browse/HBASE-28508
             Project: HBase
          Issue Type: Bug
          Components: acl
            Reporter: Rushabh Shah
            Assignee: Rushabh Shah


We have introduced a new regionserver coproc within phoenix and all the 
permission related tests are failing with the following exception.
{noformat}
Caused by: 
org.apache.hadoop.hbase.ipc.RemoteWithExtrasException(org.apache.hadoop.hbase.security.AccessDeniedException):
 org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
permissions for user 'groupUser_N000042' (global, action=ADMIN)
        at 
org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
        at 
org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
        at 
org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1318)
        at 
org.apache.hadoop.hbase.regionserver.RSRpcServices.rpcPreCheck(RSRpcServices.java:584)
        at 
org.apache.hadoop.hbase.regionserver.RSRpcServices.execRegionServerService(RSRpcServices.java:3804)
        at 
org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:45016)
        at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:415)
        at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
        at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:102)
        at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:82)
{noformat}

This check is failing. 
[RSRpcServices|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java#L3815]

{code}
  @Override
  public CoprocessorServiceResponse execRegionServerService(RpcController 
controller,
    CoprocessorServiceRequest request) throws ServiceException {
    rpcPreCheck("execRegionServerService");
    return server.execRegionServerService(controller, request);
  }

  private void rpcPreCheck(String requestName) throws ServiceException {
    try {
      checkOpen();
      requirePermission(requestName, Permission.Action.ADMIN);
    } catch (IOException ioe) {
      throw new ServiceException(ioe);
    }
  }
{code}

Why do we need ADMIN permissions to call region server coproc? We don't need 
ADMIN permissions to call all region co-procs. We require ADMIN permissions to 
execute some region coprocs (compactionSwitch, clearRegionBlockCache).

Can we change the permission to READ? 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to