Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-25441

add security check for some APIs in RSRpcServices

    XMLWordPrintableJSON

    Details

    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      RsRpcServices APIs that can be accessed only through Admin rights:
      - stopServer
      - updateFavoredNodes
      - updateConfiguration
      - clearRegionBlockCache
      - clearSlowLogsResponses
      Show
      RsRpcServices APIs that can be accessed only through Admin rights: - stopServer - updateFavoredNodes - updateConfiguration - clearRegionBlockCache - clearSlowLogsResponses

      Description

       

      API Severity symptom
      clearRegionBlockCache Severe The API will call LruBlockCache.evictBlocksByHfileName,
      who is declared as an expensive operation(see its comments), thus non-amin may result Dos
      clearSlowLogsResponses Normal clears queue records from ringbuffer
      updateConfiguration Normal non-admin user can make RS reload configutation from disk by this API. 
      updateRegionFavoredNodesMapping Normal Non-admin user can change the region's best storage location by this api
      stopServer low stopServer on RS is slient, which make client think he/she success shutdown RS.
      Add preRpcCheck ont only make client receive the failed message,
      but also prevent the non-admin user stop the RS,
      even the hbase.coprocessor.regionserver.classes are not configured.

       

        Attachments

          Activity

            People

            • Assignee:
              xiaoheipangzi lujie
              Reporter:
              xiaoheipangzi lujie
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: