[
https://issues.apache.org/jira/browse/HBASE-28508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17835914#comment-17835914
]
Rushabh Shah commented on HBASE-28508:
--------------------------------------
> You might have a coprocessor which does writes, or even alters things about
> the cluster.
Not all the co-processors alters things about the cluster. It should be upto
the coproc implementation to enforce permissions. For the RS coproc
implementation in phoenix, we just validate timestamps of the table and make a
decision whether the cached table is stale or not. Also since this co proc
invocation happens on the client side, we have to enforce all the clients have
ADMIN permissions which might not be true in current deployments. In short for
custom coprocs, we need to leave upto implementation to enforce permissions.
[~bbeaudreault] [~vjasani]
> Remove the need for ADMIN permissions for
> RSRpcServices#execRegionServerService
> -------------------------------------------------------------------------------
>
> Key: HBASE-28508
> URL: https://issues.apache.org/jira/browse/HBASE-28508
> Project: HBase
> Issue Type: Bug
> Components: acl
> Affects Versions: 2.4.17, 2.5.8
> Reporter: Rushabh Shah
> Assignee: Rushabh Shah
> Priority: Major
> Labels: pull-request-available
>
> We have introduced a new regionserver coproc within phoenix and all the
> permission related tests are failing with the following exception.
> {noformat}
> Caused by:
> org.apache.hadoop.hbase.ipc.RemoteWithExtrasException(org.apache.hadoop.hbase.security.AccessDeniedException):
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions for user 'groupUser_N000042' (global, action=ADMIN)
> at
> org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
> at
> org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1318)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.rpcPreCheck(RSRpcServices.java:584)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.execRegionServerService(RSRpcServices.java:3804)
> at
> org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:45016)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:415)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
> at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:102)
> at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:82)
> {noformat}
> This check is failing.
> [RSRpcServices|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java#L3815]
> {code}
> @Override
> public CoprocessorServiceResponse execRegionServerService(RpcController
> controller,
> CoprocessorServiceRequest request) throws ServiceException {
> rpcPreCheck("execRegionServerService");
> return server.execRegionServerService(controller, request);
> }
> private void rpcPreCheck(String requestName) throws ServiceException {
> try {
> checkOpen();
> requirePermission(requestName, Permission.Action.ADMIN);
> } catch (IOException ioe) {
> throw new ServiceException(ioe);
> }
> }
> {code}
> Why do we need ADMIN permissions to call region server coproc? We don't need
> ADMIN permissions to call all region co-procs. We require ADMIN permissions
> to execute some region coprocs (compactionSwitch, clearRegionBlockCache).
> Can we change the permission to READ?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
