[
https://issues.apache.org/jira/browse/HBASE-11972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14133407#comment-14133407
]
Devaraj Das commented on HBASE-11972:
-------------------------------------
Pardon me [~anoop.hbase] and [~apurtell]. I wasn't thinking right when I wrote
the comment and was mixing up my thoughts with another issue...
So the issue is simple: in the patch on HBASE-11886, I introduced a doAs for
the end-user within which the postCreateTableHandler would execute. The solves
the problem of getting the right "user" to set the permissions for in the
hbase:acl table. However, the issue is that the master RPC
(AccessControlLists.addUserPermission) to the regionserver hosting the
hbase:acl region shouldn't execute as the end-user. The RPC layer in the master
wouldn't find the credentials of the end-user to use (of course). Unless the
master is configured to work in the proxy-user mode, this would not work.
So in the patch attached on this jira, I explicitly revert to the master's user
credentials to make the remote regionserver call... Makes sense?
> The "doAs user" used in the update to hbase:acl table RPC is incorrect
> ----------------------------------------------------------------------
>
> Key: HBASE-11972
> URL: https://issues.apache.org/jira/browse/HBASE-11972
> Project: HBase
> Issue Type: Bug
> Reporter: Devaraj Das
> Assignee: Devaraj Das
> Priority: Critical
> Fix For: 2.0.0, 0.98.7, 0.99.1
>
> Attachments: 11972-1.txt
>
>
> This is a follow-up to HBASE-11886. I missed one doAs in the patch. We
> discovered the issue in our internal testing with security ON.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
