[ https://issues.apache.org/jira/browse/HBASE-19483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16302060#comment-16302060 ]
Appy commented on HBASE-19483: ------------------------------ [~andrewcheng] raises a good question on rb: bq. If using AccessChecker.isAuthorizationSupported, should we need to set the default value of hbase.security.authorization to false? If not, it may happen that the value of hbase.security.authorization is true, but AccessController is not added to the server. Only the RSGroup enable authorization. However,we can't update the permission informations because it depends on AccessController.Is this OK? Currently default value is true. Used by AccessController and VisibilityController. So i guess the assumption is, if these CPs are specified in hbase.cp.*.classes config, it's assumed that security is enabled unless that config is explicitly set to false. Comment in code says: /** if we are active, usually true, only not true if "hbase.security.authorization" has been set to false in site configuration */ But that implicit assumption of "security is On if cp is loaded" isn't true for rsgroup cp. And checking for other CP names in config value to decide if security is on is not a good design. Can't think of any other way than changing default value, updating doc, and especially calling out in upgrading section. > Add proper privilege check for rsgroup commands > ----------------------------------------------- > > Key: HBASE-19483 > URL: https://issues.apache.org/jira/browse/HBASE-19483 > Project: HBase > Issue Type: Bug > Reporter: Ted Yu > Assignee: Guangxu Cheng > Fix For: 1.4.1, 1.5.0, 2.0.0-beta-2 > > Attachments: HBASE-19483.master.001.patch, > HBASE-19483.master.002.patch, HBASE-19483.master.003.patch, > HBASE-19483.master.004.patch, HBASE-19483.master.005.patch, > HBASE-19483.master.006.patch > > > Currently list_rsgroups command can be executed by any user. > This is inconsistent with other list commands such as list_peers and > list_peer_configs. > We should add proper privilege check for list_rsgroups command. > privilege check should be added for get_table_rsgroup / get_server_rsgroup / > get_rsgroup commands. -- This message was sent by Atlassian JIRA (v6.4.14#64029)