[ https://issues.apache.org/jira/browse/HBASE-16700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Clay B. updated HBASE-16700: ---------------------------- Attachment: HBASE-16700.006.patch This adds test cases for: * A classpath coprocessor (here {{org.apache.hadoop.hbase.coprocessor.BaseRegionObserver}} since it's handy) * The above test is a table creation test * Adds back the accidentally dropped table creation test show the creation should fail * Add HBase reference documentation (I had to build this dropping the {{<skin>}} tag in {{src/main/site/site.xml}} as {{mvn site}} was breaking for me as Jenkins recently reported. As to: {quote}I was asking whether we want to do class name white listing on top of path white listing. It should be fine for now.{quote} I think it would make sense to allow certain tables certain paths or coprocessors but for now I think that's a pretty far down use case from what I have yet seen; certainly could be a follow-up JIRA if anyone wants it. > Allow for coprocessor whitelisting > ---------------------------------- > > Key: HBASE-16700 > URL: https://issues.apache.org/jira/browse/HBASE-16700 > Project: HBase > Issue Type: Improvement > Components: Coprocessors > Reporter: Clay B. > Priority: Minor > Labels: security > Attachments: HBASE-16700.000.patch, HBASE-16700.001.patch, > HBASE-16700.002.patch, HBASE-16700.003.patch, HBASE-16700.004.patch, > HBASE-16700.005.patch, HBASE-16700.006.patch > > > Today one can turn off all non-system coprocessors with > {{hbase.coprocessor.user.enabled}} however, this disables very useful things > like Apache Phoenix's coprocessors. Some tenants of a multi-user HBase may > also need to run bespoke coprocessors. But as an operator I would not want > wanton coprocessor usage. Ideally, one could do one of two things: > * Allow coprocessors defined in {{hbase-site.xml}} -- this can only be > administratively changed in most cases > * Allow coprocessors from table descriptors but only if the coprocessor is > whitelisted -- This message was sent by Atlassian JIRA (v6.3.4#6332)