phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ankit Singhal (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-3756) Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
Date Tue, 04 Apr 2017 17:15:41 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15955446#comment-15955446
] 

Ankit Singhal commented on PHOENIX-3756:
----------------------------------------

Thanks [~elserj] for the update. 

* Can you also add this compatibility check when you are caching accessDeniedException for
meta table so that we still be doing compatibility checks (for version compatibility and consistent
namespace property) and end a flow if SYSTEM.CATALOG table doesn't exists.

{code}
checkClientServerCompatibility(
                            SchemaUtil.getPhysicalName(SYSTEM_CATALOG_NAME_BYTES, this.getProps()).getName());
{code}

* we should not be returning early here, Ignore the exception and let "(tableNames.size()
== 0) { return true; }" to take care the flow. NamespaceNotExist Exception will be thrown
if non upgraded system table exists otherwise client can fail in later stage while accessing
namespace mapped system tables.
{code}
+            // Namespace-mapping is enabled at this point.
+            try {
+                ensureNamespaceCreated(QueryConstants.SYSTEM_SCHEMA_NAME);
+            } catch (PhoenixIOException e) {
+                // User might not be privileged to access the Phoenix system tables
+                // in the HBase "SYSTEM" namespace (lacking 'ADMIN'). Let them proceed without
+                // verifying the system table configuration.
+                logger.warn("Could not access system namespace, assuming it exists");
+                return false;
+            }
{code}

** you may need to move code which removes SYSTEM.MUTEX table name from tables before tableNames.size()
condition as this may be needed until PHOENIX-3757 is fixed. 
{code}
tableNames.remove(TableName.valueOf(PhoenixDatabaseMetaData.SYSTEM_MUTEX_NAME));
{code}


* And after above, we can remove this check.
{code}
 if (!ensureSystemTablesUpgraded(ConnectionQueryServicesImpl.this.getProps())) {
+                                        logger.debug("Failed to upgrade system tables, assuming
they are properly configured.");
+                                        success = true;
+                                        return null;
+                                    }
{code}


> Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
> ------------------------------------------------------------------------
>
>                 Key: PHOENIX-3756
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3756
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.11.0
>
>         Attachments: PHOENIX-3756.001.patch, PHOENIX-3756.002.patch, PHOENIX-3756.003.patch,
PHOENIX-3756.004.patch, PHOENIX-3756.005.patch
>
>
> Follow-on from PHOENIX-3652:
> The fix provided in PHOENIX-3652 addressed the default situation where users would need
ADMIN on the default HBase namespace. However, when {{phoenix.schema.isNamespaceMappingEnabled=true}}
and Phoenix creates its system tables in the {{SYSTEM}} HBase namespace, unprivileged users
(those lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix.
> The root-cause is essentially the same: the code tries to fetch the {{NamespaceDescriptor}}
for the {{SYSTEM}} namespace which requires the ADMIN permission.
> https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message