[ https://issues.apache.org/jira/browse/HBASE-19093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16272893#comment-16272893 ]
Balazs Meszaros commented on HBASE-19093: ----------------------------------------- I have checked 5 RPC interface and I found some methods which server side implementation does not call AccessController at all or AccessController does not have an implementation for them. I excluded those methods from the list which names start with {{get}}, {{is}} and {{list}}. {{MasterService.Interface}} - normalize - setNormalizerRunning - runCatalogScan - enableCatalogJanitor - runCleanerChore - setCleanerChoreRunning - execMasterService - execProcedure - execProcedureWithRet {{AdminService.Interface}} - replay - warmupRegion - updateFavoredNodes - clearRegionBlockCache - updateConfiguration {{RegionServerStatusService.Interface}} - regionServerStartup - regionServerReport - reportRSFatalError - reportRegionStateTransition - reportRegionSpaceUse {{LockService.Interface}} No missing security checks. {{ClientService.Interface}} - execRegionServerService What do you think, all of these method should have AccessController hooks? > Check Admin/Table to ensure all operations go via AccessControl > --------------------------------------------------------------- > > Key: HBASE-19093 > URL: https://issues.apache.org/jira/browse/HBASE-19093 > Project: HBase > Issue Type: Sub-task > Reporter: stack > Assignee: Balazs Meszaros > Priority: Blocker > Fix For: 2.0.0-beta-1 > > Attachments: HBASE-19093.master.001.patch, > HBASE-19093.master.002.patch, RegionObserver.txt > > > A cursory review of Admin Interface has a bunch of methods as open, with out > AccessControl checks. For example, procedure executor has not check on it. > This issue is about given the Admin and Table Interfaces a once-over to see > what is missing and to fill in access control where missing. > This is a follow-on from work over in HBASE-19048 -- This message was sent by Atlassian JIRA (v6.4.14#64029)