[
https://issues.apache.org/jira/browse/HBASE-19093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16272893#comment-16272893
]
Balazs Meszaros commented on HBASE-19093:
-----------------------------------------
I have checked 5 RPC interface and I found some methods which server side
implementation does not call AccessController at all or AccessController does
not have an implementation for them. I excluded those methods from the list
which names start with {{get}}, {{is}} and {{list}}.
{{MasterService.Interface}}
- normalize
- setNormalizerRunning
- runCatalogScan
- enableCatalogJanitor
- runCleanerChore
- setCleanerChoreRunning
- execMasterService
- execProcedure
- execProcedureWithRet
{{AdminService.Interface}}
- replay
- warmupRegion
- updateFavoredNodes
- clearRegionBlockCache
- updateConfiguration
{{RegionServerStatusService.Interface}}
- regionServerStartup
- regionServerReport
- reportRSFatalError
- reportRegionStateTransition
- reportRegionSpaceUse
{{LockService.Interface}}
No missing security checks.
{{ClientService.Interface}}
- execRegionServerService
What do you think, all of these method should have AccessController hooks?
> Check Admin/Table to ensure all operations go via AccessControl
> ---------------------------------------------------------------
>
> Key: HBASE-19093
> URL: https://issues.apache.org/jira/browse/HBASE-19093
> Project: HBase
> Issue Type: Sub-task
> Reporter: stack
> Assignee: Balazs Meszaros
> Priority: Blocker
> Fix For: 2.0.0-beta-1
>
> Attachments: HBASE-19093.master.001.patch,
> HBASE-19093.master.002.patch, RegionObserver.txt
>
>
> A cursory review of Admin Interface has a bunch of methods as open, with out
> AccessControl checks. For example, procedure executor has not check on it.
> This issue is about given the Admin and Table Interfaces a once-over to see
> what is missing and to fill in access control where missing.
> This is a follow-on from work over in HBASE-19048
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
