[
https://issues.apache.org/jira/browse/PHOENIX-5905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17111475#comment-17111475
]
Josh Elser commented on PHOENIX-5905:
-------------------------------------
Making sure I have this correct.
Inside PhoenixAccessController, we need to interrogate the permissions in the
AccessController (assuming HBase native authz). We do this by doing a UGI.doAs
as the "hbase" service user. The expectation was that this doAs is sufficient
for us to make all of the AccessControlClient.
However, the bug you've found is that, when we're doing the doAs as "hbase" and
we call AccessControlClient, we end up falling back to the RPC user (when we
have one). Is that right?
If that's the case, your fix sounds right to me. Two questions:
1. Do we know where in HBase that RpcContext is being picked up? Are we
short-circuiting some RPC to actually do the lookup from inside
PhoenixAccessController?
2. No unit test updates with this patch. Do you think you could make an
addition to BasePermissionsIT for this change? Perhaps you tried and ran into
problem(s)?
> Reset user to hbase by changing rpc context before getting user permissions
> on access controller service
> ---------------------------------------------------------------------------------------------------------
>
> Key: PHOENIX-5905
> URL: https://issues.apache.org/jira/browse/PHOENIX-5905
> Project: Phoenix
> Issue Type: Bug
> Reporter: Rajeshbabu Chintaguntla
> Assignee: Rajeshbabu Chintaguntla
> Priority: Major
> Fix For: 5.1.0, 4.16.0
>
> Attachments: PHOENIX-5905.patch
>
>
> Currently we are calling getUserPermissions with hbase user directly on
> access controller service which is not a rpc call. If we don't reset user
> system user will be considered and might expect extra privileges to return
> the user permissions.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
