[
https://issues.apache.org/jira/browse/PHOENIX-5905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17112351#comment-17112351
]
Josh Elser commented on PHOENIX-5905:
-------------------------------------
Thanks for the great explanation, [~rajeshbabu]! This all makes sense now. +1
on this patch.
bq. It's bit tricky what we need to define custom access controller services
and mini cluster should be started with it. We are using reset rpc context
everywhere in metadataendpoint service but some how it's missed in this place.
I can understand how this is very hard to get correct, especially when we have
the AccessController implementation and the Ranger implementation which have
different semantics. Probably not a good idea to take a dependency on Ranger,
but maybe we could mock a custom authz endpoint which acts like Ranger does,
and make our testing suite here a little better? Thinking out loud for future
improvements.
> Reset user to hbase by changing rpc context before getting user permissions
> on access controller service
> ---------------------------------------------------------------------------------------------------------
>
> Key: PHOENIX-5905
> URL: https://issues.apache.org/jira/browse/PHOENIX-5905
> Project: Phoenix
> Issue Type: Bug
> Reporter: Rajeshbabu Chintaguntla
> Assignee: Rajeshbabu Chintaguntla
> Priority: Major
> Fix For: 5.1.0, 4.16.0
>
> Attachments: PHOENIX-5905.patch
>
>
> Currently we are calling getUserPermissions with hbase user directly on
> access controller service which is not a rpc call. If we don't reset user
> system user will be considered and might expect extra privileges to return
> the user permissions.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
