[
https://issues.apache.org/jira/browse/HBASE-26770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bryan Beaudreault resolved HBASE-26770.
---------------------------------------
Resolution: Won't Fix
As discussed above, HBase does auth per-connection, not per-request. This is a
trade-off and moving to per-request may solve some issues while creating
others. Additionally it would be a very large lift with compatibility issues to
work through. Punting on this for now.
> HBase client does not honor UserGroupInformation.doAs
> -----------------------------------------------------
>
> Key: HBASE-26770
> URL: https://issues.apache.org/jira/browse/HBASE-26770
> Project: HBase
> Issue Type: Bug
> Reporter: Bryan Beaudreault
> Priority: Major
>
> Despite passing necessary UserInformation to the RegionServer, which does
> authorize the request, the async and block clients do not work correctly with
> the following access pattern:
> {code:java}
> Connection connection = ConnectionFactory.createConnection();
> Table table = connection.getTable(name);
> UserGroupInformation proxy = UserGroupInformation.createProxyUser(
> "testUser",
> UserGroupInformation.getCurrentUser()
> );
> Result result = proxy.doAs(() -> table.get(get));{code}
> In this case, you would expect the get to be executed as "testUser", but
> instead it is executed as whichever user created the initial connection. This
> can be verified by checking the security logger on the RegionServer side.
> The reason for this is we stash the current User onto the actual
> ConnectionImplementation, and we pass that through all calls in the stack
> when executing an RPC. I think the appropriate way would be to replace usage
> of this stashed User with a call to UserGroupInformation.getCurrentUser() in
> RpcConnection, where sasl is negotiated and headers generated.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
