[jira] [Commented] (PHOENIX-5269) PhoenixAccessController should use AccessChecker instead of AccessControlClient for permission checks

Wed, 19 Jun 2019 02:03:44 -0700 


    [ 
https://issues.apache.org/jira/browse/PHOENIX-5269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16867414#comment-16867414
 ] 

Hudson commented on PHOENIX-5269:
---------------------------------

FAILURE: Integrated in Jenkins build Phoenix-4.x-HBase-1.3 #441 (See 
[https://builds.apache.org/job/Phoenix-4.x-HBase-1.3/441/])
PHOENIX-5269 use AccessChecker to check for user permisssions (tdsilva: rev 
eb8ac33029cd1ce781bf2f8b826502f642f735c5)
* (edit) pom.xml
* (add) 
phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionsCacheIT.java
* (edit) 
phoenix-core/src/main/java/org/apache/phoenix/coprocessor/PhoenixAccessController.java


> PhoenixAccessController should use AccessChecker instead of 
> AccessControlClient for permission checks
> -----------------------------------------------------------------------------------------------------
>
>                 Key: PHOENIX-5269
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-5269
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.14.1, 4.14.2
>            Reporter: Andrew Purtell
>            Assignee: Kiran Kumar Maturi
>            Priority: Critical
>             Fix For: 4.15.0, 4.14.2
>
>         Attachments: PHOENIX-5269-4.14-HBase-1.4.patch, 
> PHOENIX-5269-4.14-HBase-1.4.v1.patch, PHOENIX-5269-4.14-HBase-1.4.v2.patch, 
> PHOENIX-5269.4.14-HBase-1.4.v3.patch, PHOENIX-5269.4.14-HBase-1.4.v4.patch, 
> PHOENIX-5269.4.x-HBase-1.3.v1.patch, PHOENIX-5269.4.x-HBase-1.4.v1.patch, 
> PHOENIX-5269.4.x-HBase-1.5.v1.patch, PHOENIX-5269.master.v1.patch, 
> PHOENIX-5269.master.v2.patch, diff.patch
>
>
> PhoenixAccessController should use AccessChecker instead of 
> AccessControlClient for permission checks. 
> In HBase, every RegionServer's AccessController maintains a local cache of 
> permissions. At startup time they are initialized from the ACL table. 
> Whenever the ACL table is changed (via grant or revoke) the AC on the ACL 
> table "broadcasts" the change via zookeeper, which updates the cache. This is 
> performed and managed by TableAuthManager but is exposed as API by 
> AccessChecker. AccessChecker is the result of a refactor that was committed 
> as far back as branch-1.4 I believe.
> Phoenix implements its own access controller and is using the client API 
> AccessControlClient instead. AccessControlClient does not cache nor use the 
> ZK-based cache update mechanism, because it is designed for client side use.
> The use of AccessControlClient instead of AccessChecker is not scalable. 
> Every permissions check will trigger a remote RPC to the ACL table, which is 
> generally going to be a single region hosted on a single RegionServer. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to