[
https://issues.apache.org/jira/browse/HBASE-19093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16263741#comment-16263741
]
Anoop Sam John commented on HBASE-19093:
----------------------------------------
bq.If we add a new method to MasterRpcServices, but don't add pre/post methods
to MasterObserver. So it will still miss the ACL check?
Good point. Wanted to come to this jira and check attached patch but missed in
btw some thing else. I have a doubt on the general approach. The issue is
when we add new client functions (say adding Quota things), there is chances
that we miss the ACL checks. It is not normally seen like hook are added around
the ops but missed impl in AC. Infact most of the time the AC is the prompting
factor for adding hooks. We cleaned up some hooks recently which were exposing
too many internal stuff to CPs (Around procedure, locks) . All those hooks were
designed so as to do some AC checks. So the problem is mostly the other way
around compared to what the patch is trying to do. Not sure how we can add a
test for that.
> Check Admin/Table to ensure all operations go via AccessControl
> ---------------------------------------------------------------
>
> Key: HBASE-19093
> URL: https://issues.apache.org/jira/browse/HBASE-19093
> Project: HBase
> Issue Type: Sub-task
> Reporter: stack
> Assignee: Balazs Meszaros
> Priority: Blocker
> Fix For: 2.0.0-beta-1
>
> Attachments: HBASE-19093.master.001.patch,
> HBASE-19093.master.002.patch, RegionObserver.txt
>
>
> A cursory review of Admin Interface has a bunch of methods as open, with out
> AccessControl checks. For example, procedure executor has not check on it.
> This issue is about given the Admin and Table Interfaces a once-over to see
> what is missing and to fill in access control where missing.
> This is a follow-on from work over in HBASE-19048
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
