[jira] [Commented] (HBASE-28391) Remove the need for ADMIN permissions for listDecommissionedRegionServers

Wed, 28 Feb 2024 12:28:05 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-28391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17821862#comment-17821862
 ] 

Hudson commented on HBASE-28391:
--------------------------------

Results for branch master
        [build #1022 on 
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1022/]: 
(x) *{color:red}-1 overall{color}*
----
details (if available):

(/) {color:green}+1 general checks{color}
-- For more information [see general 
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1022/General_20Nightly_20Build_20Report/]




(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3) 
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1022/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]


(x) {color:red}-1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11 
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1022/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]


(/) {color:green}+1 source release artifact{color}
-- See build output for details.


(/) {color:green}+1 client integration test{color}


> Remove the need for ADMIN permissions for listDecommissionedRegionServers
> -------------------------------------------------------------------------
>
>                 Key: HBASE-28391
>                 URL: https://issues.apache.org/jira/browse/HBASE-28391
>             Project: HBase
>          Issue Type: Bug
>          Components: Admin
>    Affects Versions: 2.4.17, 2.5.7
>            Reporter: Rushabh Shah
>            Assignee: Rushabh Shah
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.6.0, 2.4.18, 4.0.0-alpha-1, 2.7.0, 2.5.8, 3.0.0-beta-2
>
>
> Why we need {{ADMIN}} permissions for 
> {{AccessController#preListDecommissionedRegionServers}} ?
> From Phoenix, we are calling {{Admin#getRegionServers(true)}} where the 
> argument {{excludeDecommissionedRS}} is set to true. Refer 
> [here|https://github.com/apache/hbase/blob/branch-2.5/hbase-client/src/main/java/org/apache/hadoop/hbase/client/Admin.java#L1721-L1730].
> If {{excludeDecommissionedRS}}  is set to true and if we have 
> {{AccessController}} co-proc attached, it requires ADMIN permissions to 
> execute {{listDecommissionedRegionServers}} RPC. Refer 
> [here|https://github.com/apache/hbase/blob/branch-2.5/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java#L1205-L1207].
>  
> {code:java}
>   @Override
>   public void 
> preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment>
>  ctx)
>     throws IOException {
>     requirePermission(ctx, "listDecommissionedRegionServers", Action.ADMIN);
>   }
> {code}
> I understand that we need ADMIN permissions for 
> _preDecommissionRegionServers_ and _preRecommissionRegionServer_ because it 
> changes the membership of regionservers but I don’t see any need for ADMIN 
> permissions for _listDecommissionedRegionServers_.  Do you think we can 
> remove need for ADMIN permissions for  _listDecommissionedRegionServers_ RPC?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to