[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15116630#comment-15116630
]
Anoop Sam John commented on HBASE-15132:
----------------------------------------
Ya. Master side hooks gives a way to AC to do the auth check and do the early
out and avoid the unwanted moves and RPCs. So from AC perspective this works
right? Why we need more work now?
> Master region merge RPC should authorize user request
> -----------------------------------------------------
>
> Key: HBASE-15132
> URL: https://issues.apache.org/jira/browse/HBASE-15132
> Project: HBase
> Issue Type: Bug
> Reporter: Ted Yu
> Assignee: Ted Yu
> Fix For: 2.0.0, 1.3.0
>
> Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch,
> HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch,
> HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch
>
>
> The normal flow for region merge is:
> 1. client sends a master RPC for dispatch merge regions
> 2. master moves the regions to the same regionserver
> 3. master calls mergeRegions RPC on the regionserver.
> For user initiated region merge, MasterRpcServices#dispatchMergingRegions()
> is called by HBaseAdmin.
> There is no coprocessor invocation in step 1.
> Step 3 is carried out in the "hbase" user context.
> This leaves potential security hole - any user without proper authorization
> can merge regions of any table.
> Thanks to Enis who spotted this flaw first.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
