[
https://issues.apache.org/jira/browse/PHOENIX-5269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16861742#comment-16861742
]
Kiran Kumar Maturi commented on PHOENIX-5269:
---------------------------------------------
[~tdsilva] I need some help for the master patch. tests are failing as the
zookeeper watcher is not being initialized.
PhoenixMetaDataControllerEnvironment in master branch implements
CoprocessorEnvironment [github
link|[https://github.com/apache/phoenix/blob/master/phoenix-core/src/main/java/org/apache/phoenix/coprocessor/PhoenixMetaDataCoprocessorHost.java#L135]]
{code:java}
public static class PhoenixMetaDataControllerEnvironment extends
BaseEnvironment<PhoenixCoprocessor>
implements CoprocessorEnvironment<PhoenixCoprocessor> {
{code}
For 4.x-HBase-1.5 branch PhoenixMetaDataControllerEnvironment implements
RegionCoprocessorEnvironment [github
link|[https://github.com/apache/phoenix/blob/4.x-HBase-1.5/phoenix-core/src/main/java/org/apache/phoenix/coprocessor/PhoenixMetaDataCoprocessorHost.java#L117]]
which provided the RegionServerServices to get the zookeeper
{code:java}
public static class PhoenixMetaDataControllerEnvironment extends
CoprocessorHost.Environment
implements RegionCoprocessorEnvironment {{code}
For the master branch PhoenixMetaDataControllerEnvironment provides an instance
of RegionCoprocessorHost
{code:java}
PhoenixMetaDataControllerEnvironment.getCoprocessorHost(){code}
I am not sure if
CoprocessorHost#[checkAndLoadInstance|https://hbase.apache.org/2.0/devapidocs/org/apache/hadoop/hbase/regionserver/RegionCoprocessorHost.html#checkAndGetInstance-java.lang.Class-]()
can be used to get an instance of HasRegionServices/RegionServerServices to
get the zookeeper. please suggest
[~apurtell] [~lhofhansl]
> PhoenixAccessController should use AccessChecker instead of
> AccessControlClient for permission checks
> -----------------------------------------------------------------------------------------------------
>
> Key: PHOENIX-5269
> URL: https://issues.apache.org/jira/browse/PHOENIX-5269
> Project: Phoenix
> Issue Type: Bug
> Affects Versions: 4.14.1, 4.14.2
> Reporter: Andrew Purtell
> Assignee: Kiran Kumar Maturi
> Priority: Critical
> Fix For: 4.15.0, 4.14.2
>
> Attachments: PHOENIX-5269-4.14-HBase-1.4.patch,
> PHOENIX-5269-4.14-HBase-1.4.v1.patch, PHOENIX-5269-4.14-HBase-1.4.v2.patch,
> PHOENIX-5269.4.14-HBase-1.4.v3.patch, PHOENIX-5269.4.14-HBase-1.4.v4.patch,
> PHOENIX-5269.4.x-HBase-1.4.v1.patch, PHOENIX-5269.4.x-HBase-1.5.v1.patch,
> PHOENIX-5269.master.v1.patch
>
>
> PhoenixAccessController should use AccessChecker instead of
> AccessControlClient for permission checks.
> In HBase, every RegionServer's AccessController maintains a local cache of
> permissions. At startup time they are initialized from the ACL table.
> Whenever the ACL table is changed (via grant or revoke) the AC on the ACL
> table "broadcasts" the change via zookeeper, which updates the cache. This is
> performed and managed by TableAuthManager but is exposed as API by
> AccessChecker. AccessChecker is the result of a refactor that was committed
> as far back as branch-1.4 I believe.
> Phoenix implements its own access controller and is using the client API
> AccessControlClient instead. AccessControlClient does not cache nor use the
> ZK-based cache update mechanism, because it is designed for client side use.
> The use of AccessControlClient instead of AccessChecker is not scalable.
> Every permissions check will trigger a remote RPC to the ACL table, which is
> generally going to be a single region hosted on a single RegionServer.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
