Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 22851200B64 for ; Tue, 2 Aug 2016 21:23:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 21214160A76; Tue, 2 Aug 2016 19:23:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8DF4B160A65 for ; Tue, 2 Aug 2016 21:23:21 +0200 (CEST) Received: (qmail 53746 invoked by uid 500); 2 Aug 2016 19:23:20 -0000 Mailing-List: contact dev-help@phoenix.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@phoenix.apache.org Delivered-To: mailing list dev@phoenix.apache.org Received: (qmail 53735 invoked by uid 99); 2 Aug 2016 19:23:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Aug 2016 19:23:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 724172C0033 for ; Tue, 2 Aug 2016 19:23:20 +0000 (UTC) Date: Tue, 2 Aug 2016 19:23:20 +0000 (UTC) From: "Andrew Purtell (JIRA)" To: dev@phoenix.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (PHOENIX-3126) The driver implementation should take into account the context of the user MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 02 Aug 2016 19:23:22 -0000 [ https://issues.apache.org/jira/browse/PHOENIX-3126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15404629#comment-15404629 ] Andrew Purtell commented on PHOENIX-3126: ----------------------------------------- I don't think we would see a null but that's a set of 'famous last words' right before your process blows up with an NPE, so good to make this change just in case. Also worth logging if it ever is null? - because that's going to be a security problem. > The driver implementation should take into account the context of the user > -------------------------------------------------------------------------- > > Key: PHOENIX-3126 > URL: https://issues.apache.org/jira/browse/PHOENIX-3126 > Project: Phoenix > Issue Type: Bug > Reporter: Devaraj Das > Fix For: 4.8.0 > > Attachments: PHOENIX-3126.txt, aaaa.java > > > Ran into this issue ... > We have an application that proxies various users internally and fires queries for those users. The Phoenix driver implementation caches connections it successfully creates and keys it by the ConnectionInfo. The ConnectionInfo doesn't take into consideration the "user". So random users (including those that aren't supposed to access) can access the tables in this sort of a setup. > The fix is to also consider the User in the ConnectionInfo. -- This message was sent by Atlassian JIRA (v6.3.4#6332)