[ https://issues.apache.org/jira/browse/HBASE-21814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guanghao Zhang updated HBASE-21814: ----------------------------------- Attachment: HBASE-21814.master.001.patch > Remove the TODO in AccessControlLists#addUserPermission > ------------------------------------------------------- > > Key: HBASE-21814 > URL: https://issues.apache.org/jira/browse/HBASE-21814 > Project: HBase > Issue Type: Improvement > Reporter: Guanghao Zhang > Assignee: Guanghao Zhang > Priority: Major > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21814.master.001.patch, > HBASE-21814.master.001.patch > > > The TODO was added by me. Because this method happens within the RS. The old > impl use a login user(User.runAsLoginUser where the login user is the user > who started RS process) to call Table.put(). And it will check the permission > when put record to ACL table. At RpcServer we have a ThreadLocal where we > keep the CallContext and inside that the current RPC called user info is set. > We need Table.put(List<Put>) to change to a new thread and and so old > ThreadLocal variable is not accessible and so it looks as if no Rpc context > and we were relying on the super user who starts the RS process. > > {code:java} > User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { > @Override > public Void run() throws Exception { > > AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm, > regionEnv.getTable(AccessControlLists.ACL_TABLE_NAME), > request.getMergeExistingPermissions()); > return null; > } > }); > {code} > > But after HBASE-21739, no need to User.runAsLoginUser. Because we will call > Admin method to grant/revoke. And this will be execute in master and use the > master user(the user who started master process) to call Table.put. So this > is not a problem now. -- This message was sent by Atlassian JIRA (v7.6.3#76005)