[
https://issues.apache.org/jira/browse/HBASE-19634?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16305221#comment-16305221
]
Duo Zhang commented on HBASE-19634:
-----------------------------------
We do not have a way to verify who is the master...
For a secure HBase, we can get a trusted user name of the remote side. Usually
Master and RS will be started with a specific user, that's why I say how about
only allow this user to do these calls.
> Confirm that we do not leak the privilege for modifying replication peer to
> unauthorized user
> ---------------------------------------------------------------------------------------------
>
> Key: HBASE-19634
> URL: https://issues.apache.org/jira/browse/HBASE-19634
> Project: HBase
> Issue Type: Sub-task
> Components: proc-v2, Replication
> Reporter: Duo Zhang
>
> This is important, the actual refresh on RS is trigger by the
> executeProcedure call and it will pass some information. These information
> should not be fully trusted since anyone can all this method. We need to make
> sure that the actual data/state for a replication peer is always loaded from
> the replication storage, not from the parameter of the executeProcedure call.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
