Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-5269

PhoenixAccessController should use AccessChecker instead of AccessControlClient for permission checks

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 4.14.1, 4.14.2
    • 4.15.0, 5.1.0, 4.14.2
    • None
    • None

    Description

      PhoenixAccessController should use AccessChecker instead of AccessControlClient for permission checks.

      In HBase, every RegionServer's AccessController maintains a local cache of permissions. At startup time they are initialized from the ACL table. Whenever the ACL table is changed (via grant or revoke) the AC on the ACL table "broadcasts" the change via zookeeper, which updates the cache. This is performed and managed by TableAuthManager but is exposed as API by AccessChecker. AccessChecker is the result of a refactor that was committed as far back as branch-1.4 I believe.

      Phoenix implements its own access controller and is using the client API AccessControlClient instead. AccessControlClient does not cache nor use the ZK-based cache update mechanism, because it is designed for client side use.

      The use of AccessControlClient instead of AccessChecker is not scalable. Every permissions check will trigger a remote RPC to the ACL table, which is generally going to be a single region hosted on a single RegionServer.

      Attachments

        1. diff.patch
          5 kB
          Thomas D'Silva
        2. PHOENIX-5269.4.14-HBase-1.3.v1.patch
          17 kB
          Kiran Kumar Maturi
        3. PHOENIX-5269.4.14-HBase-1.4.v3.patch
          17 kB
          Kiran Kumar Maturi
        4. PHOENIX-5269.4.14-HBase-1.4.v4.patch
          17 kB
          Kiran Kumar Maturi
        5. PHOENIX-5269.4.x-HBase-1.3.v1.patch
          17 kB
          Kiran Kumar Maturi
        6. PHOENIX-5269.4.x-HBase-1.4.v1.patch
          17 kB
          Kiran Kumar Maturi
        7. PHOENIX-5269.4.x-HBase-1.5.v1.patch
          17 kB
          Kiran Kumar Maturi
        8. PHOENIX-5269.master.v1.patch
          18 kB
          Kiran Kumar Maturi
        9. PHOENIX-5269.master.v2.patch
          19 kB
          Kiran Kumar Maturi
        10. PHOENIX-5269-4.14-HBase-1.4.patch
          11 kB
          Kiran Kumar Maturi
        11. PHOENIX-5269-4.14-HBase-1.4.v1.patch
          11 kB
          Kiran Kumar Maturi
        12. PHOENIX-5269-4.14-HBase-1.4.v2.patch
          11 kB
          Kiran Kumar Maturi

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. PHOENIX-5267 With namespaces enabled Phoenix client times out with high loads

          • Major - Major loss of function.
          • Closed
          relates to

          Task - A task that needs to be done. HBASE-22374 Backport AccessChecker refactor to branch-1.3

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Task - A task that needs to be done. HBASE-22375 Promote AccessChecker to LimitedPrivate(Coprocessor)

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          supercedes

          Bug - A problem which impairs or prevents the functions of the product. PHOENIX-5267 With namespaces enabled Phoenix client times out with high loads

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. PHOENIX-5149 Set minimum HBase 1.4 version to 1.4.3

          • Trivial - Cosmetic problem like misspelt words or misaligned text.
          • Resolved

          Activity

            People

              kiran.maturi Kiran Kumar Maturi
              apurtell Andrew Kyle Purtell
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: