Rushabh Shah created HBASE-28391:
------------------------------------
Summary: Remove the need for ADMIN permissions for
listDecommissionedRegionServers
Key: HBASE-28391
URL: https://issues.apache.org/jira/browse/HBASE-28391
Project: HBase
Issue Type: Bug
Components: Admin
Affects Versions: 2.5.7, 2.4.17
Reporter: Rushabh Shah
Assignee: Rushabh Shah
Why we need {{ADMIN}} permissions for
{{AccessController#preListDecommissionedRegionServers}} ?
>From Phoenix, we are calling {{Admin#getRegionServers(true)}} where the
>argument {{excludeDecommissionedRS}} is set to true. Refer
>[here|https://github.com/apache/hbase/blob/branch-2.5/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Admin.java#L1721-L1730].
If {{excludeDecommissionedRS}} is set to true and if we have
{{AccessController}} co-proc attached, it requires ADMIN permissions to execute
{{listDecommissionedRegionServers}} RPC. Refer
[here|https://github.com/apache/hbase/blob/branch-2.5/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L1205-L1207].
{code:java}
@Override
public void
preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment>
ctx)
throws IOException {
requirePermission(ctx, "listDecommissionedRegionServers", Action.ADMIN);
}
{code}
I understand that we need ADMIN permissions for _preDecommissionRegionServers_
and _preRecommissionRegionServer_ because it changes the membership of
regionservers but I don’t see any need for ADMIN permissions for
_listDecommissionedRegionServers_. Do you think we can remove need for ADMIN
permissions for _listDecommissionedRegionServers_ RPC?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
