Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-16141

Unwind use of UserGroupInformation.doAs() to convey requester identity in coprocessor upcalls

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Later
    • None
    • None
    • Coprocessors, security
    • None

    Description

      In discussion on HBASE-16115, there is some discussion of whether UserGroupInformation.doAs() is the right mechanism for propagating the original requester's identify in certain system contexts (splits, compactions, some procedure calls). It has the unfortunately of overriding the current user, which makes for very confusing semantics for coprocessor implementors. We should instead find an alternate mechanism for conveying the caller identity, which does not override the current user context.

      I think we should instead look at passing this through as part of the ObserverContext passed to every coprocessor hook.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. HBASE-16115 Missing security context in RegionObserver coprocessor when a compaction/split is triggered manually

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. PHOENIX-3037 Setup proper security context in compaction/split coprocessor hooks

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              ghelmling Gary Helmling
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: