You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Pankaj Kumar (Jira)" <ji...@apache.org> on 2020/05/09 08:44:00 UTC
[jira] [Comment Edited] (HBASE-24345) [ACL] renameRSGroup should
require Admin level permission
[ https://issues.apache.org/jira/browse/HBASE-24345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17103201#comment-17103201 ]
Pankaj Kumar edited comment on HBASE-24345 at 5/9/20, 8:43 AM:
---------------------------------------------------------------
In branch-2 RSGroupAdminEndpoint is itself a CP, so ACL check for RSGroup Admin APIs was done directly through AccessChecker instead of adding AcecssController hook.
https://issues.apache.org/jira/browse/HBASE-19483?focusedCommentId=16290084&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16290084
So custom authorization pluging like Ranger (RangerAuthorizationCoprocessor.java) wont be able to validate RSGroup APIs operations.
IMO, branch-2 AcecssController should have hooks for RSGroup Admin APIs.
[~zhangduo] [~anoop.hbase] please provide your opinion.
was (Author: pankajkumar):
[~zhangduo]
> [ACL] renameRSGroup should require Admin level permission
> ---------------------------------------------------------
>
> Key: HBASE-24345
> URL: https://issues.apache.org/jira/browse/HBASE-24345
> Project: HBase
> Issue Type: Improvement
> Components: acl, rsgroup
> Reporter: Reid Chan
> Assignee: Reid Chan
> Priority: Major
>
> Currently renameRSgroup can be called by anyone without permission
--
This message was sent by Atlassian Jira
(v8.3.4#803005)