When 'hbase.rest.support.proxyuser' is turned on, HBase Rest gateway support 'doAs' proxy user from the Rest client.
The current implementation checks to see if the 'rest server user' is authorized to impersonate the 'doAs' user (the user in the 'doAs' Rest query string).
The current implementation allows anyone from the rest client side to impersonate another user by 'doAs'.
For example, potentially, 'user1' can 'doAs=admin'
The correct implementation should check to see if the rest client user is authorized to do impersonation.