You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Bryan Beaudreault (Jira)" <ji...@apache.org> on 2024/04/09 23:41:00 UTC
[jira] [Commented] (HBASE-28508) Remove the need for ADMIN permissions for RSRpcServices#execRegionServerService
[ https://issues.apache.org/jira/browse/HBASE-28508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17835553#comment-17835553 ]
Bryan Beaudreault commented on HBASE-28508:
-------------------------------------------
The problem with execCoprocessor is it can be very powerful. You might have a coprocessor which does writes, or even alters things about the cluster. I think it makes sense for ADMIN to be the default, but I wonder if there's a way we could customize it per endpoint.
> Remove the need for ADMIN permissions for RSRpcServices#execRegionServerService
> -------------------------------------------------------------------------------
>
> Key: HBASE-28508
> URL: https://issues.apache.org/jira/browse/HBASE-28508
> Project: HBase
> Issue Type: Bug
> Components: acl
> Affects Versions: 2.4.17, 2.5.8
> Reporter: Rushabh Shah
> Assignee: Rushabh Shah
> Priority: Major
> Labels: pull-request-available
>
> We have introduced a new regionserver coproc within phoenix and all the permission related tests are failing with the following exception.
> {noformat}
> Caused by: org.apache.hadoop.hbase.ipc.RemoteWithExtrasException(org.apache.hadoop.hbase.security.AccessDeniedException): org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'groupUser_N000042' (global, action=ADMIN)
> at org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
> at org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1318)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.rpcPreCheck(RSRpcServices.java:584)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.execRegionServerService(RSRpcServices.java:3804)
> at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:45016)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:415)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
> at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:102)
> at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:82)
> {noformat}
> This check is failing. [RSRpcServices|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java#L3815]
> {code}
> @Override
> public CoprocessorServiceResponse execRegionServerService(RpcController controller,
> CoprocessorServiceRequest request) throws ServiceException {
> rpcPreCheck("execRegionServerService");
> return server.execRegionServerService(controller, request);
> }
> private void rpcPreCheck(String requestName) throws ServiceException {
> try {
> checkOpen();
> requirePermission(requestName, Permission.Action.ADMIN);
> } catch (IOException ioe) {
> throw new ServiceException(ioe);
> }
> }
> {code}
> Why do we need ADMIN permissions to call region server coproc? We don't need ADMIN permissions to call all region co-procs. We require ADMIN permissions to execute some region coprocs (compactionSwitch, clearRegionBlockCache).
> Can we change the permission to READ?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)