phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-3756) Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
Date Tue, 04 Apr 2017 17:36:41 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15955477#comment-15955477
] 

Josh Elser commented on PHOENIX-3756:
-------------------------------------

bq. we should not be returning early here, Ignore the exception and let "(tableNames.size()
== 0) { return true; }" to take care the flow. NamespaceNotExist Exception will be thrown
if non upgraded system table exists otherwise client can fail in later stage while accessing
namespace mapped system tables.

The problem here was the case where the system tables exist and are properly configured, the
client fails to connect as they receive the same AccessDeniedException trying to access the
{{NamespaceDescriptor}}. I was intending to just ignore the whole issue of non-upgrade system
tables.

I guess we need to somehow differentiate between "we couldn't determine if the namespace exists"
and "we couldn't create the namespace". I think they're both treated similarly now. Last I
looked at the API, there was no similar method that allowed us to list the namespaces, like
exists for tables. Let me double check.

> Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
> ------------------------------------------------------------------------
>
>                 Key: PHOENIX-3756
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3756
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.11.0
>
>         Attachments: PHOENIX-3756.001.patch, PHOENIX-3756.002.patch, PHOENIX-3756.003.patch,
PHOENIX-3756.004.patch, PHOENIX-3756.005.patch
>
>
> Follow-on from PHOENIX-3652:
> The fix provided in PHOENIX-3652 addressed the default situation where users would need
ADMIN on the default HBase namespace. However, when {{phoenix.schema.isNamespaceMappingEnabled=true}}
and Phoenix creates its system tables in the {{SYSTEM}} HBase namespace, unprivileged users
(those lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix.
> The root-cause is essentially the same: the code tries to fetch the {{NamespaceDescriptor}}
for the {{SYSTEM}} namespace which requires the ADMIN permission.
> https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message