Thanks Duo. Yeah, they do that but I believe there are some calls to AccessChecker inside of the RegionServer that do not go through the Coprocessor but use the AccessChecker directly mostly to check for Admin privileges (for example when updating configuration) and we thought it'd be useful to capture those as well.
But...there's a very good chance we might be missing something as well, yeah. So, I'm also happy to be told I'm wrong :) On Fri, May 24, 2024 at 5:01 PM 张铎(Duo Zhang) <[email protected]> wrote: > > Something like ranger? > > I think ranger just implements its own authorization by HBase coprocessor > > https://github.com/apache/ranger/tree/master/hbase-agent > > Lars Francke <[email protected]> 于2024年5月24日周五 22:54写道: > > > > Hi, > > > > we'd like to implement a way to use authorization information from > > Open Policy Agent[1]. We already do the same for HDFS, Trino and a few > > other tools. > > > > It's been a while since I dug into the internals on this one but it > > seems as if we're missing a piece that's needed and that is a plugin > > point to change the actual implementation class for the AccessChecker. > > We'd need to override that. > > > > Before I start working on it and open an issue I wanted to ask for opinions. > > We'd probably want to refactor AccessChecker to be an interface > > instead of an actual class but that is also optional and can be > > discussed later. > > > > For now I'd love to know if we're missing a plugin point that we can > > use already today but it looks very hardcoded and if the idea of > > making AccessChecker pluggable is a useful one we can pursue? > > > > Thanks, > > Lars > > > > [1] <https://www.openpolicyagent.org/>
