[
https://issues.apache.org/jira/browse/HBASE-16141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15354738#comment-15354738
]
Anoop Sam John commented on HBASE-16141:
----------------------------------------
So all the CP hooks will run under system user's identity?
Previous issue was that some of the CP hooks were called with system identity
as those were calls from Master to RS. But most of the hooks around read
write etc are getting called under user identity only.
+1 for passing the end user identity via ObserverContext.
> Unwind use of UserGroupInformation.doAs() to convey requester identity in
> coprocessor upcalls
> ---------------------------------------------------------------------------------------------
>
> Key: HBASE-16141
> URL: https://issues.apache.org/jira/browse/HBASE-16141
> Project: HBase
> Issue Type: Improvement
> Components: Coprocessors, security
> Reporter: Gary Helmling
> Assignee: Gary Helmling
> Fix For: 2.0.0, 1.4.0
>
>
> In discussion on HBASE-16115, there is some discussion of whether
> UserGroupInformation.doAs() is the right mechanism for propagating the
> original requester's identify in certain system contexts (splits,
> compactions, some procedure calls). It has the unfortunately of overriding
> the current user, which makes for very confusing semantics for coprocessor
> implementors. We should instead find an alternate mechanism for conveying
> the caller identity, which does not override the current user context.
> I think we should instead look at passing this through as part of the
> ObserverContext passed to every coprocessor hook.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
