You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Guanghao Zhang (JIRA)" <ji...@apache.org> on 2019/02/01 06:39:00 UTC

[jira] [Commented] (HBASE-21814) Remove the TODO in AccessControlLists#addUserPermission

    [ https://issues.apache.org/jira/browse/HBASE-21814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16758023#comment-16758023 ] 

Guanghao Zhang commented on HBASE-21814:
----------------------------------------

Ping [~anoop.hbase] [~stack] for reviewing.

> Remove the TODO in AccessControlLists#addUserPermission
> -------------------------------------------------------
>
>                 Key: HBASE-21814
>                 URL: https://issues.apache.org/jira/browse/HBASE-21814
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Guanghao Zhang
>            Assignee: Guanghao Zhang
>            Priority: Major
>             Fix For: 3.0.0, 2.2.0, 2.3.0
>
>         Attachments: HBASE-21814.master.001.patch, HBASE-21814.master.001.patch, HBASE-21814.master.002.patch
>
>
> The TODO was added by me. Because this method happens within the RS. The old impl use a login user(User.runAsLoginUser where the login user is the user who started RS process) to call Table.put(). And it will check the permission when put record to ACL table. At RpcServer we have a ThreadLocal where we keep the CallContext and inside that the current RPC called user info is set. We need Table.put(List<Put>) to change to a new thread and and so old ThreadLocal variable is not accessible and so it looks as if no Rpc context
> and we were relying on the super user who starts the RS process.
>  
> {code:java}
> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
>           @Override
>           public Void run() throws Exception {
>             AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm,
>               regionEnv.getTable(AccessControlLists.ACL_TABLE_NAME), request.getMergeExistingPermissions());
>             return null;
>           }
>         });
> {code}
>  
> But after HBASE-21739, no need to User.runAsLoginUser. Because we will call Admin method to grant/revoke. And this will be execute in master and use the master user(the user who started master process) to call Table.put. So this is not a problem now.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)