You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Bryan Beaudreault (Jira)" <ji...@apache.org> on 2024/04/09 23:41:00 UTC

[jira] [Commented] (HBASE-28508) Remove the need for ADMIN permissions for RSRpcServices#execRegionServerService

    [ https://issues.apache.org/jira/browse/HBASE-28508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17835553#comment-17835553 ] 

Bryan Beaudreault commented on HBASE-28508:
-------------------------------------------

The problem with execCoprocessor is it can be very powerful. You might have a coprocessor which does writes, or even alters things about the cluster. I think it makes sense for ADMIN to be the default, but I wonder if there's a way we could customize it per endpoint.

> Remove the need for ADMIN permissions for RSRpcServices#execRegionServerService
> -------------------------------------------------------------------------------
>
>                 Key: HBASE-28508
>                 URL: https://issues.apache.org/jira/browse/HBASE-28508
>             Project: HBase
>          Issue Type: Bug
>          Components: acl
>    Affects Versions: 2.4.17, 2.5.8
>            Reporter: Rushabh Shah
>            Assignee: Rushabh Shah
>            Priority: Major
>              Labels: pull-request-available
>
> We have introduced a new regionserver coproc within phoenix and all the permission related tests are failing with the following exception.
> {noformat}
> Caused by: org.apache.hadoop.hbase.ipc.RemoteWithExtrasException(org.apache.hadoop.hbase.security.AccessDeniedException): org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'groupUser_N000042' (global, action=ADMIN)
> 	at org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
> 	at org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
> 	at org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1318)
> 	at org.apache.hadoop.hbase.regionserver.RSRpcServices.rpcPreCheck(RSRpcServices.java:584)
> 	at org.apache.hadoop.hbase.regionserver.RSRpcServices.execRegionServerService(RSRpcServices.java:3804)
> 	at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:45016)
> 	at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:415)
> 	at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
> 	at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:102)
> 	at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:82)
> {noformat}
> This check is failing. [RSRpcServices|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java#L3815]
> {code}
>   @Override
>   public CoprocessorServiceResponse execRegionServerService(RpcController controller,
>     CoprocessorServiceRequest request) throws ServiceException {
>     rpcPreCheck("execRegionServerService");
>     return server.execRegionServerService(controller, request);
>   }
>   private void rpcPreCheck(String requestName) throws ServiceException {
>     try {
>       checkOpen();
>       requirePermission(requestName, Permission.Action.ADMIN);
>     } catch (IOException ioe) {
>       throw new ServiceException(ioe);
>     }
>   }
> {code}
> Why do we need ADMIN permissions to call region server coproc? We don't need ADMIN permissions to call all region co-procs. We require ADMIN permissions to execute some region coprocs (compactionSwitch, clearRegionBlockCache).
> Can we change the permission to READ? 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)