I agree with Duo that you'd want to write a new coprocessor. AccessChecker is just a class used by AccessController, a coprocessor that hooks almost every RPC action a user/system could make. You can provide a new OpenPolicyAgentCoprocessor which does similar. A user could decide to use AccessController or OpenPolicyAgentCoprocessor.
You're right that there are a couple direct calls to AccessChecker, but we should wrap those with coprocessor instead. I thought we actually did that recently.... On Fri, May 24, 2024 at 11:54 AM Lars Francke <lars.fran...@gmail.com> wrote: > Thanks Duo. > > Yeah, they do that but I believe there are some calls to AccessChecker > inside of the RegionServer that do not go through the Coprocessor but > use the AccessChecker directly mostly to check for Admin privileges > (for example when updating configuration) and we thought it'd be > useful to capture those as well. > > But...there's a very good chance we might be missing something as > well, yeah. So, I'm also happy to be told I'm wrong :) > > > On Fri, May 24, 2024 at 5:01 PM 张铎(Duo Zhang) <palomino...@gmail.com> > wrote: > > > > Something like ranger? > > > > I think ranger just implements its own authorization by HBase coprocessor > > > > https://github.com/apache/ranger/tree/master/hbase-agent > > > > Lars Francke <lars.fran...@gmail.com> 于2024年5月24日周五 22:54写道: > > > > > > Hi, > > > > > > we'd like to implement a way to use authorization information from > > > Open Policy Agent[1]. We already do the same for HDFS, Trino and a few > > > other tools. > > > > > > It's been a while since I dug into the internals on this one but it > > > seems as if we're missing a piece that's needed and that is a plugin > > > point to change the actual implementation class for the AccessChecker. > > > We'd need to override that. > > > > > > Before I start working on it and open an issue I wanted to ask for > opinions. > > > We'd probably want to refactor AccessChecker to be an interface > > > instead of an actual class but that is also optional and can be > > > discussed later. > > > > > > For now I'd love to know if we're missing a plugin point that we can > > > use already today but it looks very hardcoded and if the idea of > > > making AccessChecker pluggable is a useful one we can pursue? > > > > > > Thanks, > > > Lars > > > > > > [1] <https://www.openpolicyagent.org/> >
