accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Wall (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-4519) System permission bug in Thrift Proxy
Date Thu, 09 Feb 2017 21:56:42 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-4519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15860276#comment-15860276
] 

Michael Wall commented on ACCUMULO-4519:
----------------------------------------

This patch going in shortly.  [~ctubbsii] is merging up and regenerating the thrift files
(Thanks Christopher).  [~cutylewiwi] may we add you to the list of contributors, http://accumulo.apache.org/people/#contributors?

> System permission bug in Thrift Proxy
> -------------------------------------
>
>                 Key: ACCUMULO-4519
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4519
>             Project: Accumulo
>          Issue Type: Bug
>          Components: proxy
>    Affects Versions: 1.8.0
>            Reporter: Yudong Wu
>            Assignee: Yudong Wu
>             Fix For: 1.7.3, 1.8.1, 2.0.0
>
>         Attachments: ACCUMULO-4519.0000.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The system permission list between core and Thrift proxy is inconsistent. The proxy lacks
the support for some of the newly added system permissions, including:
> {{System.CREATE_NAMESPACE}}
> {{System.DROP_NAMESPACE}}
> {{System.ALTER_NAMESPACE}}
> {{System.OBTAIN_DELEGATION_TOKEN}}
> Currently, when connecting through Thrift proxy, we can't grant, check or revoke the
above 4 System permissions. When a proxy client sends permissions (i.e., {{System.CREATE_NAMESPACE}}),
it will receive {{AccumuloException}} wrapping around {{java.lang.NullPointerException}}:
> {code:borderStyle=solid}
> Traceback (most recent call last):
>   File "Client.py", line 32, in <module>
>     client.grantSystemPermission(login, username, CREATE_NAMESPACE_PERM)
>   File "***AccumuloProxy.py", line 2980, in grantSystemPermission
>     self.recv_grantSystemPermission()
>   File "***AccumuloProxy.py", line 3006, in recv_grantSystemPermission
>     raise result.ouch1
> accumulo.ttypes.AccumuloException: AccumuloException(msg='java.lang.NullPointerException')
> {code}
> The bug is in the Thrift proxy file
> {code:title=accumulo/proxy/src/main/thrift/proxy/thrift|borderStyle=solid}
> enum SystemPermission {
>   GRANT = 0,
>   CREATE_TABLE = 1,
>   DROP_TABLE = 2,
>   ALTER_TABLE = 3,
>   CREATE_USER = 4,
>   DROP_USER = 5,
>   ALTER_USER = 6,
>   SYSTEM = 7,
> }
> {code}
> The {{SystemPermission}} enum clearly misses Permission #8--#11 defined in Accumulo core:
> {code:title=accumulo/core/.../SystemPermission.java|borderStyle=solid}
> public enum SystemPermission {
>   /*
>    * One may add new permissions, but new permissions must use new numbers. Current numbers
in use must not be changed.
>    */
>   GRANT((byte) 0),
>   CREATE_TABLE((byte) 1),
>   DROP_TABLE((byte) 2),
>   ALTER_TABLE((byte) 3),
>   CREATE_USER((byte) 4),
>   DROP_USER((byte) 5),
>   ALTER_USER((byte) 6),
>   SYSTEM((byte) 7),
>   CREATE_NAMESPACE((byte) 8),
>   DROP_NAMESPACE((byte) 9),
>   ALTER_NAMESPACE((byte) 10),
>   OBTAIN_DELEGATION_TOKEN((byte) 11);
> }
> {code}
> The fix should be straightforward---just add the corresponding permissions into the Thrift
proxy file. 
> Let me know if you need any more info, or want a patch for this. 
> Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message