[ https://issues.apache.org/jira/browse/HBASE-28391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17821400#comment-17821400 ]
Rushabh Shah commented on HBASE-28391: -------------------------------------- Thank you [~nihaljain.cs] and [~zhangduo] for the review. Merged the patch to all active branches: trunk, branch-3, branch-2, branch-2.6, branch-2.5 and branch-2.4 > Remove the need for ADMIN permissions for listDecommissionedRegionServers > ------------------------------------------------------------------------- > > Key: HBASE-28391 > URL: https://issues.apache.org/jira/browse/HBASE-28391 > Project: HBase > Issue Type: Bug > Components: Admin > Affects Versions: 2.4.17, 2.5.7 > Reporter: Rushabh Shah > Assignee: Rushabh Shah > Priority: Major > Labels: pull-request-available > Fix For: 2.6.0, 2.4.18, 4.0.0-alpha-1, 2.7.0, 2.5.8, 3.0.0-beta-2 > > > Why we need {{ADMIN}} permissions for > {{AccessController#preListDecommissionedRegionServers}} ? > From Phoenix, we are calling {{Admin#getRegionServers(true)}} where the > argument {{excludeDecommissionedRS}} is set to true. Refer > [here|https://github.com/apache/hbase/blob/branch-2.5/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Admin.java#L1721-L1730]. > If {{excludeDecommissionedRS}} is set to true and if we have > {{AccessController}} co-proc attached, it requires ADMIN permissions to > execute {{listDecommissionedRegionServers}} RPC. Refer > [here|https://github.com/apache/hbase/blob/branch-2.5/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L1205-L1207]. > > {code:java} > @Override > public void > preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> > ctx) > throws IOException { > requirePermission(ctx, "listDecommissionedRegionServers", Action.ADMIN); > } > {code} > I understand that we need ADMIN permissions for > _preDecommissionRegionServers_ and _preRecommissionRegionServer_ because it > changes the membership of regionservers but I don’t see any need for ADMIN > permissions for _listDecommissionedRegionServers_. Do you think we can > remove need for ADMIN permissions for _listDecommissionedRegionServers_ RPC? -- This message was sent by Atlassian Jira (v8.20.10#820010)