Rushabh Shah created HBASE-28391: ------------------------------------ Summary: Remove the need for ADMIN permissions for listDecommissionedRegionServers Key: HBASE-28391 URL: https://issues.apache.org/jira/browse/HBASE-28391 Project: HBase Issue Type: Bug Components: Admin Affects Versions: 2.5.7, 2.4.17 Reporter: Rushabh Shah Assignee: Rushabh Shah
Why we need {{ADMIN}} permissions for {{AccessController#preListDecommissionedRegionServers}} ? >From Phoenix, we are calling {{Admin#getRegionServers(true)}} where the >argument {{excludeDecommissionedRS}} is set to true. Refer >[here|https://github.com/apache/hbase/blob/branch-2.5/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Admin.java#L1721-L1730]. If {{excludeDecommissionedRS}} is set to true and if we have {{AccessController}} co-proc attached, it requires ADMIN permissions to execute {{listDecommissionedRegionServers}} RPC. Refer [here|https://github.com/apache/hbase/blob/branch-2.5/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L1205-L1207]. {code:java} @Override public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx) throws IOException { requirePermission(ctx, "listDecommissionedRegionServers", Action.ADMIN); } {code} I understand that we need ADMIN permissions for _preDecommissionRegionServers_ and _preRecommissionRegionServer_ because it changes the membership of regionservers but I don’t see any need for ADMIN permissions for _listDecommissionedRegionServers_. Do you think we can remove need for ADMIN permissions for _listDecommissionedRegionServers_ RPC? -- This message was sent by Atlassian Jira (v8.20.10#820010)