Peter Somogyi created HBASE-29361:
-------------------------------------
Summary: Snapshot coprocessor hooks called inside
SnapshotProcedure,
Key: HBASE-29361
URL: https://issues.apache.org/jira/browse/HBASE-29361
Project: HBase
Issue Type: Bug
Components: Coprocessors, snapshots
Affects Versions: 2.6.0
Reporter: Peter Somogyi
Assignee: Peter Somogyi
Snapshot coprocessor hooks (e.g. preSnapshot) are called inside
SnapshotProcedure, causing inconsistent behavior compared to
CreateTableProcedure or other procedures.
*Current Behavior:*
In HBase 2.6, snapshot operations have been moved to the Procedure framework.
However, the integration of coprocessors with snapshots differs from other
procedures. Specifically, the preSnapshot coprocessor hook is called inside the
SnapshotProcedure's SNAPSHOT_PRE_OPERATION step. If a coprocessor (e.g.,
Ranger) throws an AccessDeniedException during a snapshot create command, the
SnapshotProcedure starts and rolls back during the SNAPSHOT_PRE_OPERATION step.
This is different from CreateTableProcedure, where the preCreateTable hook is
called before the procedure itself starts.
When the CreateTableProcedure is denied it will create a FailedProcedure,
however, the CreateSnapshot procedure will start a SnapshotProcedure.
*Comparison*
Original behavior using deny coprocessor for snapshot and table create
{noformat}
hbase:011:0> snapshot 'peter', 'denied1'
ERROR: Snapshot is not allowed by coprocessor
For usage try 'help "snapshot"'
Took 0.1669 seconds
hbase:012:0> create 'peter1-denied', 'f'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Denied table
create
For usage try 'help "create"'
Took 0.0510 seconds
hbase:013:0> list_procedures
PID Name State Submitted Last_Update Parameters
88 org.apache.hadoop.hbase.master.procedure.SnapshotProcedure ROLLEDBACK
2025-05-28 14:18:40 +0200 2025-05-28 14:18:40 +0200 [{},
{"snapshot"=>{"name"=>"denied1", "table"=>"peter",
"creationTime"=>"1748434720667", "type"=>"FLUSH", "version"=>2, "ttl"=>"0"}}]
89 org.apache.hadoop.hbase.procedure2.FailedProcedure ROLLEDBACK 2025-05-28
14:18:55 +0200 2025-05-28 14:18:55 +0200
2 row(s)
Took 0.0408 seconds
hbase:014:0>
{noformat}
The new behavior when preSnapshot is called before the Procedure itself
{noformat}
hbase:001:0> snapshot 'peter', 'denied1'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Snapshot is not
allowed by coprocessor
For usage try 'help "snapshot"'
Took 5.3337 seconds
hbase:002:0> create 'peter-denied', 'f'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Denied table
create
For usage try 'help "create"'
Took 0.0184 seconds
hbase:003:0> list_procedures
PID Name State Submitted Last_Update Parameters
102 org.apache.hadoop.hbase.procedure2.FailedProcedure ROLLEDBACK 2025-05-28
14:44:52 +0200 2025-05-28 14:44:52 +0200
103 org.apache.hadoop.hbase.procedure2.FailedProcedure ROLLEDBACK 2025-05-28
14:45:01 +0200 2025-05-28 14:45:01 +0200
2 row(s)
Took 0.0472 seconds
hbase:004:0>
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
