[
https://issues.apache.org/jira/browse/RANGER-2724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17035512#comment-17035512
]
Rajeshbabu Chintaguntla commented on RANGER-2724:
-------------------------------------------------
Here is WIP tried to add the execute permission in server def and patch to
support execute but when I am trying to deploy it the in the cluster it's not
showing. Can any one help me how to verify and where to add the test cases for
the same. Thanks in advance.
> Support EXECUTE permission in HBase Authorisation
> -------------------------------------------------
>
> Key: RANGER-2724
> URL: https://issues.apache.org/jira/browse/RANGER-2724
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Reporter: Rajeshbabu Chintaguntla
> Assignee: Rajeshbabu Chintaguntla
> Priority: Major
> Attachments: RANGER-2724.patch
>
>
> HBase Authorisation supports execute permission along with read,write,create
> and admin.
> https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cdh_sg_hbase_authorization.html#
> # Read (R) - can read data at the given scope
> # Write (W) - can write data at the given scope
> # Execute (X) - can execute coprocessor endpoints at the given scope
> # Create (C) - can create tables or drop tables (even those they did not
> create) at the given scope
> # Admin (A) - can perform cluster operations such as balancing the cluster or
> assigning regions at the given scope
> In the HBase we can define the endpoint implementations to extend the HBase
> functionality without touching the core. These endpoints can be called in
> table scope.
> Example: Endpoint section in
> https://blogs.apache.org/hbase/entry/coprocessor_introduction
> To run the endpoint implementations users can be authorised with execute
> permissions. There are hooks also coprocessor hooks also supported for this
> endpoint invocations.
> {noformat}
> public Message
> preEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> ctx,
> Service service, String methodName, Message request) throws IOException {
> if (this.shouldCheckExecPermission && !(service instanceof
> AccessControlService)) {
> this.requirePermission(ctx, "invoke(" +
> service.getDescriptorForType().getName() + "." + methodName + ")",
> this.getTableName((RegionCoprocessorEnvironment)ctx.getEnvironment()),
> (byte[])null, (byte[])null, Action.EXEC);
> }
> return request;
> }
> public void
> postEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> ctx,
> Service service, String methodName, Message request, Builder responseBuilder)
> throws IOException {
> }
> {noformat}
> Any way this execute permission is optional but better to have in the Ranger
> mainly in case of Phoenix we do use most of the coprocessor endpoints to
> tackle with meta data for tables/resources to be written to system tables. So
> It would be helpful to have it.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
