Here is the jira I was referring to where we added coprocessor hooks for the cases you saw: https://issues.apache.org/jira/browse/HBASE-26268
On Fri, May 24, 2024 at 12:36 PM Bryan Beaudreault <bbeaudrea...@apache.org> wrote: > I agree with Duo that you'd want to write a new coprocessor. AccessChecker > is just a class used by AccessController, a coprocessor that hooks almost > every RPC action a user/system could make. You can provide a new > OpenPolicyAgentCoprocessor which does similar. A user could decide to use > AccessController or OpenPolicyAgentCoprocessor. > > You're right that there are a couple direct calls to AccessChecker, but we > should wrap those with coprocessor instead. I thought we actually did that > recently.... > > On Fri, May 24, 2024 at 11:54 AM Lars Francke <lars.fran...@gmail.com> > wrote: > >> Thanks Duo. >> >> Yeah, they do that but I believe there are some calls to AccessChecker >> inside of the RegionServer that do not go through the Coprocessor but >> use the AccessChecker directly mostly to check for Admin privileges >> (for example when updating configuration) and we thought it'd be >> useful to capture those as well. >> >> But...there's a very good chance we might be missing something as >> well, yeah. So, I'm also happy to be told I'm wrong :) >> >> >> On Fri, May 24, 2024 at 5:01 PM 张铎(Duo Zhang) <palomino...@gmail.com> >> wrote: >> > >> > Something like ranger? >> > >> > I think ranger just implements its own authorization by HBase >> coprocessor >> > >> > https://github.com/apache/ranger/tree/master/hbase-agent >> > >> > Lars Francke <lars.fran...@gmail.com> 于2024年5月24日周五 22:54写道: >> > > >> > > Hi, >> > > >> > > we'd like to implement a way to use authorization information from >> > > Open Policy Agent[1]. We already do the same for HDFS, Trino and a few >> > > other tools. >> > > >> > > It's been a while since I dug into the internals on this one but it >> > > seems as if we're missing a piece that's needed and that is a plugin >> > > point to change the actual implementation class for the AccessChecker. >> > > We'd need to override that. >> > > >> > > Before I start working on it and open an issue I wanted to ask for >> opinions. >> > > We'd probably want to refactor AccessChecker to be an interface >> > > instead of an actual class but that is also optional and can be >> > > discussed later. >> > > >> > > For now I'd love to know if we're missing a plugin point that we can >> > > use already today but it looks very hardcoded and if the idea of >> > > making AccessChecker pluggable is a useful one we can pursue? >> > > >> > > Thanks, >> > > Lars >> > > >> > > [1] <https://www.openpolicyagent.org/> >> >
