Oh damn! I was probably not looking at the latest code from main. Sorry for the noise then and thank you both for the quick help.
I'll take a look at the Jira and the latest code then! Bryan Beaudreault <bbeaudrea...@apache.org> schrieb am Fr., 24. Mai 2024, 18:39: > Here is the jira I was referring to where we added coprocessor hooks for > the cases you saw: https://issues.apache.org/jira/browse/HBASE-26268 > > On Fri, May 24, 2024 at 12:36 PM Bryan Beaudreault < > bbeaudrea...@apache.org> > wrote: > > > I agree with Duo that you'd want to write a new coprocessor. > AccessChecker > > is just a class used by AccessController, a coprocessor that hooks almost > > every RPC action a user/system could make. You can provide a new > > OpenPolicyAgentCoprocessor which does similar. A user could decide to use > > AccessController or OpenPolicyAgentCoprocessor. > > > > You're right that there are a couple direct calls to AccessChecker, but > we > > should wrap those with coprocessor instead. I thought we actually did > that > > recently.... > > > > On Fri, May 24, 2024 at 11:54 AM Lars Francke <lars.fran...@gmail.com> > > wrote: > > > >> Thanks Duo. > >> > >> Yeah, they do that but I believe there are some calls to AccessChecker > >> inside of the RegionServer that do not go through the Coprocessor but > >> use the AccessChecker directly mostly to check for Admin privileges > >> (for example when updating configuration) and we thought it'd be > >> useful to capture those as well. > >> > >> But...there's a very good chance we might be missing something as > >> well, yeah. So, I'm also happy to be told I'm wrong :) > >> > >> > >> On Fri, May 24, 2024 at 5:01 PM 张铎(Duo Zhang) <palomino...@gmail.com> > >> wrote: > >> > > >> > Something like ranger? > >> > > >> > I think ranger just implements its own authorization by HBase > >> coprocessor > >> > > >> > https://github.com/apache/ranger/tree/master/hbase-agent > >> > > >> > Lars Francke <lars.fran...@gmail.com> 于2024年5月24日周五 22:54写道: > >> > > > >> > > Hi, > >> > > > >> > > we'd like to implement a way to use authorization information from > >> > > Open Policy Agent[1]. We already do the same for HDFS, Trino and a > few > >> > > other tools. > >> > > > >> > > It's been a while since I dug into the internals on this one but it > >> > > seems as if we're missing a piece that's needed and that is a plugin > >> > > point to change the actual implementation class for the > AccessChecker. > >> > > We'd need to override that. > >> > > > >> > > Before I start working on it and open an issue I wanted to ask for > >> opinions. > >> > > We'd probably want to refactor AccessChecker to be an interface > >> > > instead of an actual class but that is also optional and can be > >> > > discussed later. > >> > > > >> > > For now I'd love to know if we're missing a plugin point that we can > >> > > use already today but it looks very hardcoded and if the idea of > >> > > making AccessChecker pluggable is a useful one we can pursue? > >> > > > >> > > Thanks, > >> > > Lars > >> > > > >> > > [1] <https://www.openpolicyagent.org/> > >> > > >
