Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-16141

Unwind use of UserGroupInformation.doAs() to convey requester identity in coprocessor upcalls

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Later
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Coprocessors, security
    • Labels:
      None

      Description

      In discussion on HBASE-16115, there is some discussion of whether UserGroupInformation.doAs() is the right mechanism for propagating the original requester's identify in certain system contexts (splits, compactions, some procedure calls). It has the unfortunately of overriding the current user, which makes for very confusing semantics for coprocessor implementors. We should instead find an alternate mechanism for conveying the caller identity, which does not override the current user context.

      I think we should instead look at passing this through as part of the ObserverContext passed to every coprocessor hook.

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ghelmling Gary Helmling

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment