[
https://issues.apache.org/jira/browse/HBASE-19334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16264841#comment-16264841
]
Guanghao Zhang commented on HBASE-19334:
----------------------------------------
bq, Now the code is using new getConnection() which reuses the initial cluster
connection (short circuited) in RS. For this the user is always the super user
who started RS process.
I thought you misunderstand what I said. The user was stored by a threadlocal
variable. If a user A call grant method and then use short curcuited connection
to bypass rpc. Then the user still is user A. So User.runAsLoginUser not work.
You can try replace put(List) API with put(Put) and run TestAccessControl* test
to see the result.
> User.runAsLoginUser not work in AccessController because it use a short
> circuited connection
> --------------------------------------------------------------------------------------------
>
> Key: HBASE-19334
> URL: https://issues.apache.org/jira/browse/HBASE-19334
> Project: HBase
> Issue Type: Bug
> Reporter: Guanghao Zhang
> Assignee: Guanghao Zhang
> Attachments: HBASE-19334.master.001.patch
>
>
> The short-circuited connection will bypass the RPC and the RPC context didn't
> change. So it still use the old RPC user to write ACL table and
> User.runAsLoginUser not work.
> AccessController's grant method.
> {code}
> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
> @Override
> public Void run() throws Exception {
> // regionEnv is set at #start. Hopefully not null at this point.
> try (Table table = regionEnv.getConnection().
> getTable(AccessControlLists.ACL_TABLE_NAME)) {
>
> AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm,
> table,
> request.getMergeExistingPermissions());
> }
> return null;
> }
> });
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
