[
https://issues.apache.org/jira/browse/HBASE-28508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rushabh Shah updated HBASE-28508:
---------------------------------
Affects Version/s: 2.5.8
2.4.17
> Remove the need for ADMIN permissions for
> RSRpcServices#execRegionServerService
> -------------------------------------------------------------------------------
>
> Key: HBASE-28508
> URL: https://issues.apache.org/jira/browse/HBASE-28508
> Project: HBase
> Issue Type: Bug
> Components: acl
> Affects Versions: 2.4.17, 2.5.8
> Reporter: Rushabh Shah
> Assignee: Rushabh Shah
> Priority: Major
>
> We have introduced a new regionserver coproc within phoenix and all the
> permission related tests are failing with the following exception.
> {noformat}
> Caused by:
> org.apache.hadoop.hbase.ipc.RemoteWithExtrasException(org.apache.hadoop.hbase.security.AccessDeniedException):
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions for user 'groupUser_N000042' (global, action=ADMIN)
> at
> org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
> at
> org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1318)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.rpcPreCheck(RSRpcServices.java:584)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.execRegionServerService(RSRpcServices.java:3804)
> at
> org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:45016)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:415)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
> at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:102)
> at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:82)
> {noformat}
> This check is failing.
> [RSRpcServices|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java#L3815]
> {code}
> @Override
> public CoprocessorServiceResponse execRegionServerService(RpcController
> controller,
> CoprocessorServiceRequest request) throws ServiceException {
> rpcPreCheck("execRegionServerService");
> return server.execRegionServerService(controller, request);
> }
> private void rpcPreCheck(String requestName) throws ServiceException {
> try {
> checkOpen();
> requirePermission(requestName, Permission.Action.ADMIN);
> } catch (IOException ioe) {
> throw new ServiceException(ioe);
> }
> }
> {code}
> Why do we need ADMIN permissions to call region server coproc? We don't need
> ADMIN permissions to call all region co-procs. We require ADMIN permissions
> to execute some region coprocs (compactionSwitch, clearRegionBlockCache).
> Can we change the permission to READ?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
