Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-28508

Remove the need for ADMIN permissions for RSRpcServices#execRegionServerService

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.4.17, 2.5.8
    • None
    • acl

    Description

      We have introduced a new regionserver coproc within phoenix and all the permission related tests are failing with the following exception.

      Caused by: org.apache.hadoop.hbase.ipc.RemoteWithExtrasException(org.apache.hadoop.hbase.security.AccessDeniedException): org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'groupUser_N000042' (global, action=ADMIN)
	at org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
	at org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
	at org.apache.hadoop.hbase.regionserver.RSRpcServices.requirePermission(RSRpcServices.java:1318)
	at org.apache.hadoop.hbase.regionserver.RSRpcServices.rpcPreCheck(RSRpcServices.java:584)
	at org.apache.hadoop.hbase.regionserver.RSRpcServices.execRegionServerService(RSRpcServices.java:3804)
	at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:45016)
	at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:415)
	at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
	at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:102)
	at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:82)

      This check is failing. RSRpcServices

        @Override
  public CoprocessorServiceResponse execRegionServerService(RpcController controller,
    CoprocessorServiceRequest request) throws ServiceException {
    rpcPreCheck("execRegionServerService");
    return server.execRegionServerService(controller, request);
  }

  private void rpcPreCheck(String requestName) throws ServiceException {
    try {
      checkOpen();
      requirePermission(requestName, Permission.Action.ADMIN);
    } catch (IOException ioe) {
      throw new ServiceException(ioe);
    }
  }

      Why do we need ADMIN permissions to call region server coproc? We don't need ADMIN permissions to call all region co-procs. We require ADMIN permissions to execute some region coprocs (compactionSwitch, clearRegionBlockCache).

      Can we change the permission to READ?

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #5815

          Activity

            People

              shahrs87 Rushabh Shah
              shahrs87 Rushabh Shah
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: