phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ankit Singhal (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-3756) Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
Date Tue, 04 Apr 2017 17:52:42 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15955508#comment-15955508
] 

Ankit Singhal commented on PHOENIX-3756:
----------------------------------------

bq. The problem here was the case where the system tables exist and are properly configured,
the client fails to connect as they receive the same AccessDeniedException trying to access
the NamespaceDescriptor. I was intending to just ignore the whole issue of non-upgrade system
tables.

Yes, That's why you just need to catch the exception thrown by ensureNamespaceCreated and
ignore it. if there are tables which are not upgraded then flow will continue to upgrade them
otherwise return normally. And there is no need to check SYSTEM namespace exists or not. because
the user will get a proper exception if meta table doesn't exist and the code tries to create
it in the non-existing namespace.



> Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
> ------------------------------------------------------------------------
>
>                 Key: PHOENIX-3756
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3756
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.11.0
>
>         Attachments: PHOENIX-3756.001.patch, PHOENIX-3756.002.patch, PHOENIX-3756.003.patch,
PHOENIX-3756.004.patch, PHOENIX-3756.005.patch
>
>
> Follow-on from PHOENIX-3652:
> The fix provided in PHOENIX-3652 addressed the default situation where users would need
ADMIN on the default HBase namespace. However, when {{phoenix.schema.isNamespaceMappingEnabled=true}}
and Phoenix creates its system tables in the {{SYSTEM}} HBase namespace, unprivileged users
(those lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix.
> The root-cause is essentially the same: the code tries to fetch the {{NamespaceDescriptor}}
for the {{SYSTEM}} namespace which requires the ADMIN permission.
> https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message