[HBASE-28391] Remove the need for ADMIN permissions for listDecommissionedRegionServers - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.4.17, 2.5.7
Fix Version/s: 2.6.0, 2.4.18, 4.0.0-alpha-1, 2.7.0, 2.5.8, 3.0.0-beta-2
Component/s: Admin
Labels:
- pull-request-available

Description

Why we need ADMIN permissions for AccessController#preListDecommissionedRegionServers ?

From Phoenix, we are calling Admin#getRegionServers(true) where the argument excludeDecommissionedRS is set to true. Refer here.
If excludeDecommissionedRS is set to true and if we have AccessController co-proc attached, it requires ADMIN permissions to execute listDecommissionedRegionServers RPC. Refer here.

  @Override
  public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx)
    throws IOException {
    requirePermission(ctx, "listDecommissionedRegionServers", Action.ADMIN);
  }

I understand that we need ADMIN permissions for preDecommissionRegionServers and preRecommissionRegionServer because it changes the membership of regionservers but I don’t see any need for ADMIN permissions for listDecommissionedRegionServers. Do you think we can remove need for ADMIN permissions for listDecommissionedRegionServers RPC?

Attachments

Issue Links

links to

GitHub Pull Request #5695

Activity

People

Assignee:: Rushabh Shah

Reporter:: Rushabh Shah

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 21/Feb/24 23:07

Updated:: 29/Feb/24 04:47

Resolved:: 27/Feb/24 20:15