Thank you Viraj and Andrew for the replies.
I have merged HBASE-28391
<https://issues.apache.org/jira/browse/HBASE-28391> to all the active
branches.
On Tue, Feb 27, 2024 at 9:05 AM Andrew Purtell <apurt...@apache.org> wrote:
> We have had this discussion before about other list* methods and we have
> sometimes decided to restrict them to ADMIN. The reason for that was the
> information returned by the method might leak sensitive information. For
> example, listing table descriptors will include all arbitrary and
> potentially sensitive user set attributes in the schema.
> I think here the information listed is not sensitive in the same way. Host
> cluster membership, and especially decommissioned hosts, is not secret.
>
> Compatibility should be fine. Someone granted ADMIN permission will still
> be able to invoke this method if the security check is relaxed.
>
> +1
>
> On Tue, Feb 27, 2024 at 8:32 AM Viraj Jasani <vjas...@apache.org> wrote:
>
> > +1 for relaxing the permission. While I haven't gone through the history,
> > it seems that requiring ADMIN for listDecomm operation might be an
> > oversight.
> >
> > Unless it is really big deal from compatibility viewpoint, I think we
> > should be fine relaxing this.
> >
> >
> >
> > On Mon, Feb 26, 2024 at 8:55 PM Rushabh Shah
> > <rushabh.s...@salesforce.com.invalid> wrote:
> >
> > > Hi hbase-dev,
> > >
> > > Why do we need ADMIN permissions for
> > > AccessController#preListDecommissionedRegionServers
> > > API ?
> > >
> > > From Phoenix, we are calling Admin#getRegionServers(true) where the
> > > argument excludeDecommissionedRS is set to true. [1]
> > > If excludeDecommissionedRS is set to true and if we have
> > > AccessController co-proc
> > > attached, it requires ADMIN permissions to execute
> > > listDecommissionedRegionServers RPC. [2]
> > > Snippet below
> > >
> > > @Override
> > > public void
> > >
> >
> preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment>
> > > ctx)
> > > throws IOException {
> > > requirePermission(ctx, "listDecommissionedRegionServers",
> > > Action.ADMIN);
> > > }
> > >
> > > I understand that we need ADMIN permissions
> > > for preDecommissionRegionServers and preRecommissionRegionServers
> because
> > > it changes the membership of regionservers but I don’t see any need for
> > > ADMIN permissions for listDecommissionedRegionServers.
> > >
> > > Does anyone have objections if we relax the requirement to READ
> > permissions
> > > instead of ADMIN permissions?
> > >
> > > I have created HBASE-28391
> > > <
> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/HBASE-28391__;!!DCbAVzZNrAf4!BkLK4S-sG0Soms4PFYK9G420e4QQdVUdjjz7x0PfOtSq0cvPOLehISZxTqx2Y1tc-bIayELNPNlK6q08dBVJJ4o$
> > to implement this.
> > > Thank you !
> > >
> > >
> > > 1.
> > >
> > >
> >
> https://urldefense.com/v3/__https://github.com/apache/hbase/blob/branch-2.5/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Admin.java*L1721-L1730__;Iw!!DCbAVzZNrAf4!BkLK4S-sG0Soms4PFYK9G420e4QQdVUdjjz7x0PfOtSq0cvPOLehISZxTqx2Y1tc-bIayELNPNlK6q085ZMR_0M$
> > >
> > > 2.
> > >
> > >
> >
> https://urldefense.com/v3/__https://github.com/apache/hbase/blob/branch-2.5/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java*L1205-L1207__;Iw!!DCbAVzZNrAf4!BkLK4S-sG0Soms4PFYK9G420e4QQdVUdjjz7x0PfOtSq0cvPOLehISZxTqx2Y1tc-bIayELNPNlK6q08LXwSMKo$
> > >
> >
>
>
> --
> Best regards,
> Andrew
>
> Unrest, ignorance distilled, nihilistic imbeciles -
> It's what we’ve earned
> Welcome, apocalypse, what’s taken you so long?
> Bring us the fitting end that we’ve been counting on
> - A23, Welcome, Apocalypse
>
