[
https://issues.apache.org/jira/browse/HBASE-14169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14648498#comment-14648498
]
Srikanth Srungarapu commented on HBASE-14169:
---------------------------------------------
Agree with Matteo's point. And also, allowing global admin to refresh super
user groups can introduce vulnerability as it introduces the possibility for
global admin to gain super user privileges.
{code}
requirePermission("refreshSuperUserGroupsConf", Action.ADMIN);
{code}
Also, we have new class {{SuperUsers}} which encapsulates the code related to
super user configurations. You might want to move some changes over to there.
> API to refreshSuperUserGroupsConfiguration
> ------------------------------------------
>
> Key: HBASE-14169
> URL: https://issues.apache.org/jira/browse/HBASE-14169
> Project: HBase
> Issue Type: New Feature
> Reporter: Francis Liu
> Assignee: Francis Liu
> Attachments: HBASE-14169.patch
>
>
> For deployments that use security. User impersonation (AKA doAs()) is needed
> for some services (ie Stargate, thriftserver, Oozie, etc). Impersonation
> definitions are defined in a xml config file and read and cached by the
> ProxyUsers class. Calling this api will refresh cached information,
> eliminating the need to restart the master/regionserver whenever the
> configuration is changed.
> Implementation just adds another method to AccessControlService.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
