[ https://issues.apache.org/jira/browse/HBASE-26770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Beaudreault resolved HBASE-26770. --------------------------------------- Resolution: Won't Fix As discussed above, HBase does auth per-connection, not per-request. This is a trade-off and moving to per-request may solve some issues while creating others. Additionally it would be a very large lift with compatibility issues to work through. Punting on this for now. > HBase client does not honor UserGroupInformation.doAs > ----------------------------------------------------- > > Key: HBASE-26770 > URL: https://issues.apache.org/jira/browse/HBASE-26770 > Project: HBase > Issue Type: Bug > Reporter: Bryan Beaudreault > Priority: Major > > Despite passing necessary UserInformation to the RegionServer, which does > authorize the request, the async and block clients do not work correctly with > the following access pattern: > {code:java} > Connection connection = ConnectionFactory.createConnection(); > Table table = connection.getTable(name); > UserGroupInformation proxy = UserGroupInformation.createProxyUser( > "testUser", > UserGroupInformation.getCurrentUser() > ); > Result result = proxy.doAs(() -> table.get(get));{code} > In this case, you would expect the get to be executed as "testUser", but > instead it is executed as whichever user created the initial connection. This > can be verified by checking the security logger on the RegionServer side. > The reason for this is we stash the current User onto the actual > ConnectionImplementation, and we pass that through all calls in the stack > when executing an RPC. I think the appropriate way would be to replace usage > of this stashed User with a call to UserGroupInformation.getCurrentUser() in > RpcConnection, where sasl is negotiated and headers generated. -- This message was sent by Atlassian Jira (v8.20.1#820001)