[
https://issues.apache.org/jira/browse/PHOENIX-5269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16839074#comment-16839074
]
Kiran Kumar Maturi edited comment on PHOENIX-5269 at 5/14/19 4:58 AM:
----------------------------------------------------------------------
[~tdsilva] AccessControlClient is being used to get/grant permissions and
AccessChecker can check/grant for permissions.
Currently for granting permissions to a table/index/view currently we get all
(table, group) permissions from hbase:acl and user defined permissions,
compute the delta and then grant them using AccessControlClient. We can modify
the it to use the current (after patch ) hasAccess Method and check if
permissions and grant (using AccessChecker) the required permissions rather
than getting all the permissions, that would need more work and will have to
consider all the scenarios (Index/View). I think it would be better to do it in
a seperate Jira please share your thoughts
[~abhishek.chouhan] thanks for the review. I have uploaded the new patch with
the changes.
was (Author: kiran.maturi):
[~tdsilva] AccessControlClient is being used to get/grant permissions and
AccessChecker can check/grant for permissions.
For granting permissions to a table/index/view currently we get all (table,
group) permissions from hbase:acl and user defined permissions, compute the
delta and then grant them using AccessControlClient. We can modify the it to
use the current (after patch ) hasAccess Method and check if permissions and
grant (using AccessChecker) the required permissions rather than getting all
the permissions, that would need more work and will have to consider all the
scenarios (Index/View). I think it would be better to do it in a seperate Jira
please share your thoughts
[~abhishek.chouhan] thanks for the review. I have uploaded the new patch with
the changes.
> PhoenixAccessController should use AccessChecker instead of
> AccessControlClient for permission checks
> -----------------------------------------------------------------------------------------------------
>
> Key: PHOENIX-5269
> URL: https://issues.apache.org/jira/browse/PHOENIX-5269
> Project: Phoenix
> Issue Type: Bug
> Affects Versions: 4.14.1, 4.14.2
> Reporter: Andrew Purtell
> Assignee: Kiran Kumar Maturi
> Priority: Critical
> Attachments: PHOENIX-5269-4.14-HBase-1.4.patch,
> PHOENIX-5269-4.14-HBase-1.4.v1.patch, PHOENIX-5269-4.14-HBase-1.4.v2.patch,
> PHOENIX-5269.4.14-HBase-1.4.v3.patch, PHOENIX-5269.4.14-HBase-1.4.v4.patch
>
>
> PhoenixAccessController should use AccessChecker instead of
> AccessControlClient for permission checks.
> In HBase, every RegionServer's AccessController maintains a local cache of
> permissions. At startup time they are initialized from the ACL table.
> Whenever the ACL table is changed (via grant or revoke) the AC on the ACL
> table "broadcasts" the change via zookeeper, which updates the cache. This is
> performed and managed by TableAuthManager but is exposed as API by
> AccessChecker. AccessChecker is the result of a refactor that was committed
> as far back as branch-1.4 I believe.
> Phoenix implements its own access controller and is using the client API
> AccessControlClient instead. AccessControlClient does not cache nor use the
> ZK-based cache update mechanism, because it is designed for client side use.
> The use of AccessControlClient instead of AccessChecker is not scalable.
> Every permissions check will trigger a remote RPC to the ACL table, which is
> generally going to be a single region hosted on a single RegionServer.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
