phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-4528) PhoenixAccessController checks permissions only at table level when creating views
Date Sun, 14 Jan 2018 04:11:03 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-4528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16325437#comment-16325437
] 

Hadoop QA commented on PHOENIX-4528:
------------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12906012/PHOENIX-4528.001.patch
  against master branch at commit 27d6582827b9306e66d3bfd430c6186ac165fb08.
  ATTACHMENT ID: 12906012

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:red}-1 tests included{color}.  The patch doesn't appear to include any new or modified
tests.
                        Please justify why no new tests are needed for this patch.
                        Also please list what manual steps were performed to verify this patch.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of
javac compiler warnings.

    {color:red}-1 release audit{color}.  The applied patch generated 1 release audit warnings
(more than the master's current 0 warnings).

    {color:red}-1 lineLengths{color}.  The patch introduces the following lines longer than
100:
    +            verifyAllowed(grantPermissions("C", regularUser1, surroundWithDoubleQuotes(SchemaUtil.SCHEMA_FOR_DEFAULT_NAMESPACE),
true), superUser1);
+            verifyAllowed(grantPermissions("C", regularUser1, surroundWithDoubleQuotes(SchemaUtil.SCHEMA_FOR_DEFAULT_NAMESPACE),
true), superUser1);
+            verifyAllowed(grantPermissions("RX", regularUser1, surroundWithDoubleQuotes(SchemaUtil.SCHEMA_FOR_DEFAULT_NAMESPACE),
true), superUser1);
+                        // Use AccessControlClient API's if the accessController is an instance
of org.apache.hadoop.hbase.security.access.AccessController
+                            userPermissions.addAll(AccessControlClient.getUserPermissions(connection,
tableName.getNameAsString()));
+                                    connection, AuthUtil.toGroupEntry(tableName.getNamespaceAsString())));
+                            getUserPermsFromUserDefinedAccessController(userPermissions,
connection, (AccessControlService.Interface) service);
+            private void getUserPermsFromUserDefinedAccessController(final List<UserPermission>
userPermissions, Connection connection, AccessControlService.Interface service) {
+                AccessControlProtos.GetUserPermissionsRequest.Builder builderTablePerms =
AccessControlProtos.GetUserPermissionsRequest
+                AccessControlProtos.GetUserPermissionsRequest requestTablePerms = builderTablePerms.build();

    {color:green}+1 core tests{color}.  The patch passed unit tests in .

Test results: https://builds.apache.org/job/PreCommit-PHOENIX-Build/1709//testReport/
Release audit warnings: https://builds.apache.org/job/PreCommit-PHOENIX-Build/1709//artifact/patchprocess/patchReleaseAuditWarnings.txt
Console output: https://builds.apache.org/job/PreCommit-PHOENIX-Build/1709//console

This message is automatically generated.

> PhoenixAccessController checks permissions only at table level when creating views
> ----------------------------------------------------------------------------------
>
>                 Key: PHOENIX-4528
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4528
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Karan Mehta
>            Assignee: Karan Mehta
>         Attachments: PHOENIX-4528.001.patch, PHOENIX-4528.repro-test.diff
>
>
> The {{PhoenixAccessController#preCreateTable()}} method is invoked everytime a user wants
to create a view on a base table. The {{requireAccess()}} method takes in tableName as the
parameter and checks for user permissions only at that table level. The correct approach is
to also check permissions at namespace level, since it is at a larger scope than per table
level.
> For example, if the table name is {{TEST_SCHEMA.TEST_TABLE}}, it will created as {{TEST_SCHEMA:TEST_TABLE}}
HBase table is namespace mapping is enabled. View creation on this table would fail if permissions
are granted to just {{TEST_SCHEMA}} and not on {{TEST_TABLE}}. It works correctly if same
permissions are granted at table level too.
> FYI. [~ankit.singhal] [~twdsilva@gmail.com]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message