[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15112949#comment-15112949
]
Ted Yu commented on HBASE-15132:
--------------------------------
bq. since the handler is already in user context, no?
I don't think so.
Here is the stack trace:
{code}
MasterRpcServices.dispatchMergingRegions(RpcController,
MasterProtos$DispatchMergingRegionsRequest) line: 531
MasterProtos$MasterService$2.callBlockingMethod(Descriptors$MethodDescriptor,
RpcController, Message) line: 58210
RpcServer.call(BlockingService, MethodDescriptor, Message, CellScanner, long,
MonitoredRPCHandler) line: 2231
CallRunner.run() line: 109
BalancedQueueRpcExecutor(RpcExecutor).consumerLoop(BlockingQueue<CallRunner>)
line: 133
RpcExecutor$1.run() line: 108
Thread.run() line: 745
{code}
> Master region merge RPC should authorize user request
> -----------------------------------------------------
>
> Key: HBASE-15132
> URL: https://issues.apache.org/jira/browse/HBASE-15132
> Project: HBase
> Issue Type: Bug
> Reporter: Ted Yu
> Assignee: Ted Yu
> Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch,
> HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch,
> HBASE-15132.v6.patch
>
>
> The normal flow for region merge is:
> 1. client sends a master RPC for dispatch merge regions
> 2. master moves the regions to the same regionserver
> 3. master calls mergeRegions RPC on the regionserver.
> For user initiated region merge, MasterRpcServices#dispatchMergingRegions()
> is called by HBaseAdmin.
> There is no coprocessor invocation in step 1.
> Step 3 is carried out in the "hbase" user context.
> This leaves potential security hole - any user without proper authorization
> can merge regions of any table.
> Thanks to Enis who spotted this flaw first.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
