phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-3126) The driver implementation should take into account the context of the user
Date Tue, 02 Aug 2016 19:06:21 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-3126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15404612#comment-15404612
] 

Josh Elser commented on PHOENIX-3126:
-------------------------------------

One thing I just noticed is that {{User.getCurrent()}} has the potential to return {{null}}
which would cause an NPE in the equals() method. I'm not sure if that can actually happen
looking at the calling code, though.

{noformat}
@@ -415,6 +424,7 @@ public abstract class PhoenixEmbeddedDriver implements Driver, SQLCloseable
{
             if (obj == null) return false;
             if (getClass() != obj.getClass()) return false;
             ConnectionInfo other = (ConnectionInfo) obj;
+            if (!other.user.equals(user)) return false;
             if (zookeeperQuorum == null) {
                 if (other.zookeeperQuorum != null) return false;
             } else if (!zookeeperQuorum.equals(other.zookeeperQuorum)) return false;
{noformat}

We can easily switch that to {{Objects.equals(other.user, user)}} to work around any worry.
Since it's late for [~ankit@apache.org], I can make that change and commit this too.

> The driver implementation should take into account the context of the user
> --------------------------------------------------------------------------
>
>                 Key: PHOENIX-3126
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3126
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Devaraj Das
>             Fix For: 4.8.0
>
>         Attachments: PHOENIX-3126.txt, aaaa.java
>
>
> Ran into this issue ... 
> We have an application that proxies various users internally and fires queries for those
users. The Phoenix driver implementation caches connections it successfully creates and keys
it by the ConnectionInfo. The ConnectionInfo doesn't take into consideration the "user". So
random users (including those that aren't supposed to access) can access the tables in this
sort of a setup.
> The fix is to also consider the User in the ConnectionInfo.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message