[
https://issues.apache.org/jira/browse/PHOENIX-5269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16859627#comment-16859627
]
Lars Hofhansl edited comment on PHOENIX-5269 at 6/10/19 12:58 AM:
------------------------------------------------------------------
# Why is the PermissionsCacheIT different between 4.x-HBase-1.4 and
4.x-HBase-1.5? (Test class has a parameter in 1.4 but not 1.5)
# The PermissionsCacheIT has been failing since this change in 4.x-HBase-1.4
and nobody noticed(!) And it fails exactly because there's no no-parameter
constructor.
# Why is this not needed in 4.x-HBase-1.3?
# Where's the master patch?
This is confusing on many fronts. :)
Please do not 1/2 check-in changes. Now we have a 1/2 open jira with changes in
some branches and not in others, we can now neither close this jira, nor can we
leave it open.
In 4.x-HBase-1.4 let's either fix the test or revert.
was (Author: lhofhansl):
# Why is the PermissionsCacheIT different between 4.x-HBase-1.4 and
4.x-HBase-1.5? (Test class has a parameter in 1.4 but not 1.5)
# The PermissionsCacheIT has been failing since this change in 4.x-HBase-1.4
and nobody noticed(!) And it fails exactly because there's no no-parameter
constructor.
# Why is this not needed in 4.x-HBase-1.3?
# Where's the master patch?
This is confusing on many fronts. :)
Please do not 1/2 check-in changes. Now we have a 1/2 open jira with changes in
some branches and not in other, we neither close this jira, nor can we leave it
open.
In 4.x-HBase-1.4 let's either fix the test or revert.
> PhoenixAccessController should use AccessChecker instead of
> AccessControlClient for permission checks
> -----------------------------------------------------------------------------------------------------
>
> Key: PHOENIX-5269
> URL: https://issues.apache.org/jira/browse/PHOENIX-5269
> Project: Phoenix
> Issue Type: Bug
> Affects Versions: 4.14.1, 4.14.2
> Reporter: Andrew Purtell
> Assignee: Kiran Kumar Maturi
> Priority: Critical
> Fix For: 4.15.0, 4.14.2
>
> Attachments: PHOENIX-5269-4.14-HBase-1.4.patch,
> PHOENIX-5269-4.14-HBase-1.4.v1.patch, PHOENIX-5269-4.14-HBase-1.4.v2.patch,
> PHOENIX-5269.4.14-HBase-1.4.v3.patch, PHOENIX-5269.4.14-HBase-1.4.v4.patch,
> PHOENIX-5269.4.x-HBase-1.4.v1.patch, PHOENIX-5269.4.x-HBase-1.5.v1.patch
>
>
> PhoenixAccessController should use AccessChecker instead of
> AccessControlClient for permission checks.
> In HBase, every RegionServer's AccessController maintains a local cache of
> permissions. At startup time they are initialized from the ACL table.
> Whenever the ACL table is changed (via grant or revoke) the AC on the ACL
> table "broadcasts" the change via zookeeper, which updates the cache. This is
> performed and managed by TableAuthManager but is exposed as API by
> AccessChecker. AccessChecker is the result of a refactor that was committed
> as far back as branch-1.4 I believe.
> Phoenix implements its own access controller and is using the client API
> AccessControlClient instead. AccessControlClient does not cache nor use the
> ZK-based cache update mechanism, because it is designed for client side use.
> The use of AccessControlClient instead of AccessChecker is not scalable.
> Every permissions check will trigger a remote RPC to the ACL table, which is
> generally going to be a single region hosted on a single RegionServer.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
