[ https://issues.apache.org/jira/browse/HBASE-28391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17820958#comment-17820958 ]
Rushabh Shah commented on HBASE-28391: -------------------------------------- > Better start a discussion thread on dev list about this, if no objections, >let's change it to Action.READ Thank you [~zhangduo] for the reply. Created discussion thread [here|] > Remove the need for ADMIN permissions for listDecommissionedRegionServers > ------------------------------------------------------------------------- > > Key: HBASE-28391 > URL: https://issues.apache.org/jira/browse/HBASE-28391 > Project: HBase > Issue Type: Bug > Components: Admin > Affects Versions: 2.4.17, 2.5.7 > Reporter: Rushabh Shah > Assignee: Rushabh Shah > Priority: Major > Labels: pull-request-available > > Why we need {{ADMIN}} permissions for > {{AccessController#preListDecommissionedRegionServers}} ? > From Phoenix, we are calling {{Admin#getRegionServers(true)}} where the > argument {{excludeDecommissionedRS}} is set to true. Refer > [here|https://github.com/apache/hbase/blob/branch-2.5/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Admin.java#L1721-L1730]. > If {{excludeDecommissionedRS}} is set to true and if we have > {{AccessController}} co-proc attached, it requires ADMIN permissions to > execute {{listDecommissionedRegionServers}} RPC. Refer > [here|https://github.com/apache/hbase/blob/branch-2.5/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L1205-L1207]. > > {code:java} > @Override > public void > preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> > ctx) > throws IOException { > requirePermission(ctx, "listDecommissionedRegionServers", Action.ADMIN); > } > {code} > I understand that we need ADMIN permissions for > _preDecommissionRegionServers_ and _preRecommissionRegionServer_ because it > changes the membership of regionservers but I don’t see any need for ADMIN > permissions for _listDecommissionedRegionServers_. Do you think we can > remove need for ADMIN permissions for _listDecommissionedRegionServers_ RPC? -- This message was sent by Atlassian Jira (v8.20.10#820010)