[jira] [Commented] (HBASE-19318) MasterRpcServices#getSecurityCapabilities explicitly checks for the HBase AccessController implementation

Wed, 22 Nov 2017 09:44:29 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-19318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16262990#comment-16262990
 ] 

Josh Elser commented on HBASE-19318:
------------------------------------

I'm struggling to follow, [~anoop.hbase]

bq. Is that really advisable? ACL is a core part. Just because it is 
implemented as CP, this is possible now.

This is nothing new. Ranger has been doing this for years. Why the "possible 
now" comment? As it stands now, HBase has broken Ranger functionality.

Clients will run a check against the master to determine the security 
capabilities and fails outright because it thinks HBase doesn't have any 
authorization support (because the AccessController implementation is missing). 
I'm really confused by your suggestion that authz is not meant to be pluggable 
inside of HBase.

> MasterRpcServices#getSecurityCapabilities explicitly checks for the HBase 
> AccessController implementation
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-19318
>                 URL: https://issues.apache.org/jira/browse/HBASE-19318
>             Project: HBase
>          Issue Type: Bug
>          Components: master, security
>            Reporter: Sharmadha Sainath
>            Assignee: Josh Elser
>            Priority: Critical
>             Fix For: 1.4.0, 1.3.2, 1.2.7, 2.0.0-beta-1
>
>
> Sharmadha brought a failure to my attention trying to use Ranger with HBase 
> 2.0 where the {{grant}} command was erroring out unexpectedly. The cluster 
> had the Ranger-specific coprocessors deployed, per what was previously 
> working on the HBase 1.1 line.
> After some digging, I found that the the Master is actually making a check 
> explicitly for a Coprocessor that has the name 
> {{org.apache.hadoop.hbase.security.access.AccessController}} (short name or 
> full name), instead of looking for a deployed coprocessor which can be 
> assigned to {{AccessController}} (which is what Ranger does). We have the 
> CoprocessorHost methods to do the latter already implemented; it strikes me 
> that we just accidentally used the wrong method in MasterRpcServices.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to