[
https://issues.apache.org/jira/browse/PHOENIX-5905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17111717#comment-17111717
]
Rajeshbabu Chintaguntla commented on PHOENIX-5905:
--------------------------------------------------
[~elserj]
Thanks for looking into it.
bq.Inside PhoenixAccessController, we need to interrogate the permissions in
the AccessController (assuming HBase native authz). We do this by doing a
UGI.doAs as the "hbase" service user. The expectation was that this doAs is
sufficient for us to make all of the AccessControlClient.
To get the user permissions from AccessControlClient user need not be "hbase"
as it will just request master/RS to get the permissions. Then master/RS gets
the user permissions with hbase user. So things will be fine wih HBase native
authz.
The issue we get here is with custom access controller service like Ranger. In
case of non native HBase authz we are directly calling getUserPermissions on
AccessControlService.Interface which short-circuit the rpc as you mentioned
here and the RpcContext has the system user. So if we reset the context to
null then when it picks getActiveUser get it from User.getCurrent() which
gives login user which is "hbase". The reason we need hbase is to get user
permissions on table or namespace the user should have admin privileges.
bq. 1. Do we know where in HBase that RpcContext is being picked up? Are we
short-circuiting some RPC to actually do the lookup from inside
PhoenixAccessController?
bq. 2. No unit test updates with this patch. Do you think you could make an
addition to BasePermissionsIT for this change? Perhaps you tried and ran into
problem(s)?
It's bit tricky what we need to define custom access controller services and
mini cluster should be started with it. We are using reset rpc context
everywhere in metadataendpoint service but some how it's missed in this place.
> Reset user to hbase by changing rpc context before getting user permissions
> on access controller service
> ---------------------------------------------------------------------------------------------------------
>
> Key: PHOENIX-5905
> URL: https://issues.apache.org/jira/browse/PHOENIX-5905
> Project: Phoenix
> Issue Type: Bug
> Reporter: Rajeshbabu Chintaguntla
> Assignee: Rajeshbabu Chintaguntla
> Priority: Major
> Fix For: 5.1.0, 4.16.0
>
> Attachments: PHOENIX-5905.patch
>
>
> Currently we are calling getUserPermissions with hbase user directly on
> access controller service which is not a rpc call. If we don't reset user
> system user will be considered and might expect extra privileges to return
> the user permissions.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
