[jira] [Comment Edited] (HBASE-28391) Remove the need for ADMIN permissions for listDecommissionedRegionServers

Mon, 26 Feb 2024 21:00:05 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-28391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17820958#comment-17820958
 ] 

Rushabh Shah edited comment on HBASE-28391 at 2/27/24 4:59 AM:
---------------------------------------------------------------

>  Better start a discussion thread on dev list about this, if no objections, 
>let's change it to Action.READ

Thank you [~zhangduo]  for the reply. Created discussion thread 
[here|https://lists.apache.org/thread/vcf50plmsx59yh4fyvsfpo7xht4rbhz8]

 


was (Author: shahrs87):
>  Better start a discussion thread on dev list about this, if no objections, 
>let's change it to Action.READ

Thank you [~zhangduo]  for the reply. Created discussion thread [here|]

 

> Remove the need for ADMIN permissions for listDecommissionedRegionServers
> -------------------------------------------------------------------------
>
>                 Key: HBASE-28391
>                 URL: https://issues.apache.org/jira/browse/HBASE-28391
>             Project: HBase
>          Issue Type: Bug
>          Components: Admin
>    Affects Versions: 2.4.17, 2.5.7
>            Reporter: Rushabh Shah
>            Assignee: Rushabh Shah
>            Priority: Major
>              Labels: pull-request-available
>
> Why we need {{ADMIN}} permissions for 
> {{AccessController#preListDecommissionedRegionServers}} ?
> From Phoenix, we are calling {{Admin#getRegionServers(true)}} where the 
> argument {{excludeDecommissionedRS}} is set to true. Refer 
> [here|https://github.com/apache/hbase/blob/branch-2.5/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Admin.java#L1721-L1730].
> If {{excludeDecommissionedRS}}  is set to true and if we have 
> {{AccessController}} co-proc attached, it requires ADMIN permissions to 
> execute {{listDecommissionedRegionServers}} RPC. Refer 
> [here|https://github.com/apache/hbase/blob/branch-2.5/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L1205-L1207].
>  
> {code:java}
>   @Override
>   public void 
> preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment>
>  ctx)
>     throws IOException {
>     requirePermission(ctx, "listDecommissionedRegionServers", Action.ADMIN);
>   }
> {code}
> I understand that we need ADMIN permissions for 
> _preDecommissionRegionServers_ and _preRecommissionRegionServer_ because it 
> changes the membership of regionservers but I don’t see any need for ADMIN 
> permissions for _listDecommissionedRegionServers_.  Do you think we can 
> remove need for ADMIN permissions for  _listDecommissionedRegionServers_ RPC?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to