phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ankit Singhal (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (PHOENIX-2717) Unable to login if no "create" permission in HBase
Date Thu, 22 Mar 2018 07:22:00 GMT

     [ https://issues.apache.org/jira/browse/PHOENIX-2717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ankit Singhal resolved PHOENIX-2717.
------------------------------------
       Resolution: Fixed
    Fix Version/s: 4.11.0

fixed as part of https://issues.apache.org/jira/browse/PHOENIX-3756 

> Unable to login if no "create" permission in HBase
> --------------------------------------------------
>
>                 Key: PHOENIX-2717
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-2717
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.4.0
>         Environment: HDP 2.3.4
>            Reporter: mathias kluba
>            Priority: Blocker
>             Fix For: 4.11.0
>
>
> I'm using HBase with Ranger, but I guess that we could have the same issue with internal
HBase permission system.
> When I try to connect to "hbase" using phoenix client, it crashes because of "Access
Denied" exception.
> The phoenix client try to create the SYSTEM.CATALOG table (and other SYSTEM tables) and
catch only 2 exceptions :
> NewerTableAlreadyExistsException and TableAlreadyExistsException 
> It doesn't catch the "access denied" exception.
> https://github.com/apache/phoenix/blob/master/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L2279
> In the end, I'm not able to connect to HBase using Phoenix for read purpose, I don't
need to be able to create these SYSTEM tables...
> I think that the code is a little bit dirty: it should check the existence of the table
instead of trying to create it and catch exception.
> I have a workaround for now: I grant the "create" permission in Ranger for "SYSTEM.*"
tables: they already exist before the user try to connect, so it's not a problem to give them
this access.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message