phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rajeshbabu Chintaguntla (Jira)" <j...@apache.org>
Subject [jira] [Updated] (PHOENIX-4753) Remove the need for users to have Write access to the Phoenix SYSTEM STATS TABLE to drop tables
Date Wed, 06 May 2020 12:21:00 GMT

     [ https://issues.apache.org/jira/browse/PHOENIX-4753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Rajeshbabu Chintaguntla updated PHOENIX-4753:
---------------------------------------------
    Attachment: PHOENIX-4753_v2.patch

> Remove the need for users to have Write access to the Phoenix SYSTEM STATS TABLE to drop
tables
> -----------------------------------------------------------------------------------------------
>
>                 Key: PHOENIX-4753
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4753
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Saumil Mayani
>            Assignee: Rajeshbabu Chintaguntla
>            Priority: Major
>              Labels: SFDC, namespaces, security
>         Attachments: PHOENIX-4753.patch, PHOENIX-4753_v2.patch
>
>
> Problem statement:-
> With [PHOENIX-4198|https://issues.apache.org/jira/browse/PHOENIX-4198] a user only needs
RX permissions for SYSTEM CATALOG Table, however, it required to have a write permission to
SYSTEM STATS Table when performing drop operation on a table. This is a security concern as
they can create/alter/drop/corrupt STATS data of any other table without proper access to
the corresponding physical tables.
> STEPS TO REPRODUCE:
> 1. Set the following properties in hbase-site.xml:
>  
> {code:java}
> # File: hbase-site.xml
>  
> # Properties=value
> hbase.security.authorization=true
> hbase.coprocessor.master.classes=org.apache.hadoop.hbase.security.access.AccessController
> hbase.coprocessor.region.classes=org.apache.hadoop.hbase.security.access.AccessController,
> org.apache.hadoop.hbase.security.token.TokenProvider,
> org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint
> hbase.coprocessor.regionserver.classes=org.apache.hadoop.hbase.security.access.AccessController
> phoenix.acls.enabled=true
> phoenix.schema.isNamespaceMappingEnabled=true
> phoenix.schema.mapSystemTablesToNamespace=true
> {code}
>  
> 2.  Grant READ permission on SYSTEM Namespace and RWXCA on the user Namespace, to the
user:
>  
> {code:java}
> # Example: user01t01 belong to tenant01
>  
> # Grant a user read permission to "SYSTEM" Namespace
> > grant 'user01t01', 'RX' , '@SYSTEM'
>  
> # Grant respective 'RWXCA' [READ('R'), WRITE('W'), EXEC('X'),
> CREATE('C'), ADMIN('A')] permissions on user namespace
> > grant 'user01t01', 'RWXCA' , '@TENANT01'
> {code}
>  
> 3. Login as 'user01t01' and perform the operations. to create table, add data , update
statistics and drop table.
>  
> {code:java}
> # Login as the user 'user01t01'
> kinit user01t01
> # create table under namespace / schema tenant01
> create table tenant01.test (mykey integer not null primary key, mycolumn varchar);
> # Insert some data
> upsert into tenant01.test values (1,'Hello');
> upsert into tenant01.test values (2,'World!');
> # select / read back the data inserted.
> select * from tenant01.test;
> # check if the STATS table has information for "tenant01.test"
> select * from SYSTEM.STATS where PHYSICAL_NAME='TENANT01:TEST';
> # If no record in SYSTEM.STATS, update stats.
> update statistics tenant01.test;
> # Drop the table
> drop table tenant01.test;
> {code}
>  
>  
> Following Error gets reported, although the Table is dropped from SYSTEM:CATALOG Table,
but the record exist in SYSTEM:STATS Table.
>  
> {code:java}
> Error: org.apache.phoenix.exception.PhoenixIOException: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions (user=user01t01@EXAMPLE.COM, scope=SYSTEM:STATS, family=0:, params=[table=SYSTEM:STATS,family=0:],action=WRITE)
> at org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1701)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:941)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1692)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:937)
> at org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook(HRegion.java:3055)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3019)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2965)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commitBatch(UngroupedAggregateRegionObserver.java:225)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commit(UngroupedAggregateRegionObserver.java:764)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.doPostScannerOpen(UngroupedAggregateRegionObserver.java:667)
> at org.apache.phoenix.coprocessor.BaseScannerRegionObserver.postScannerOpen(BaseScannerRegionObserver.java:237)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$52.call(RegionCoprocessorHost.java:1301)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperationWithResult(RegionCoprocessorHost.java:1699)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.postScannerOpen(RegionCoprocessorHost.java:1296)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.scan(RSRpcServices.java:2404)
> at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:32385)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2150)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:112)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:187)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:167) (state=08000,code=101)
> org.apache.phoenix.exception.PhoenixIOException: org.apache.phoenix.exception.PhoenixIOException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=user01t01@EXAMPLE.COM,
scope=SYSTEM:STATS, family=0:, params=[table=SYSTEM:STATS,family=0:],action=WRITE)
> at org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1701)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:941)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1692)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:937)
> at org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook(HRegion.java:3055)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3019)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2965)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commitBatch(UngroupedAggregateRegionObserver.java:225)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commit(UngroupedAggregateRegionObserver.java:764)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.doPostScannerOpen(UngroupedAggregateRegionObserver.java:667)
> at org.apache.phoenix.coprocessor.BaseScannerRegionObserver.postScannerOpen(BaseScannerRegionObserver.java:237)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$52.call(RegionCoprocessorHost.java:1301)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperationWithResult(RegionCoprocessorHost.java:1699)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.postScannerOpen(RegionCoprocessorHost.java:1296)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.scan(RSRpcServices.java:2404)
> at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:32385)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2150)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:112)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:187)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:167)
> at org.apache.phoenix.util.ServerUtil.parseServerException(ServerUtil.java:117)
> at org.apache.phoenix.iterate.BaseResultIterators.getIterators(BaseResultIterators.java:780)
> at org.apache.phoenix.iterate.BaseResultIterators.getIterators(BaseResultIterators.java:721)
> at org.apache.phoenix.iterate.ConcatResultIterator.getIterators(ConcatResultIterator.java:50)
> at org.apache.phoenix.iterate.ConcatResultIterator.currentIterator(ConcatResultIterator.java:97)
> at org.apache.phoenix.iterate.ConcatResultIterator.next(ConcatResultIterator.java:117)
> at org.apache.phoenix.iterate.BaseGroupedAggregatingResultIterator.next(BaseGroupedAggregatingResultIterator.java:64)
> at org.apache.phoenix.iterate.UngroupedAggregatingResultIterator.next(UngroupedAggregatingResultIterator.java:39)
> at org.apache.phoenix.compile.DeleteCompiler$2.execute(DeleteCompiler.java:561)
> at org.apache.phoenix.jdbc.PhoenixStatement$2.call(PhoenixStatement.java:343)
> at org.apache.phoenix.jdbc.PhoenixStatement$2.call(PhoenixStatement.java:331)
> at org.apache.phoenix.call.CallRunner.run(CallRunner.java:53)
> at org.apache.phoenix.jdbc.PhoenixStatement.executeMutation(PhoenixStatement.java:330)
> at org.apache.phoenix.jdbc.PhoenixStatement.execute(PhoenixStatement.java:1440)
> at org.apache.phoenix.schema.MetaDataClient.deleteFromStatsTable(MetaDataClient.java:2457)
> at org.apache.phoenix.schema.MetaDataClient.dropTable(MetaDataClient.java:2416)
> at org.apache.phoenix.schema.MetaDataClient.dropTable(MetaDataClient.java:2277)
> at org.apache.phoenix.jdbc.PhoenixStatement$ExecutableDropTableStatement$1.execute(PhoenixStatement.java:888)
> at org.apache.phoenix.jdbc.PhoenixStatement$2.call(PhoenixStatement.java:343)
> at org.apache.phoenix.jdbc.PhoenixStatement$2.call(PhoenixStatement.java:331)
> at org.apache.phoenix.call.CallRunner.run(CallRunner.java:53)
> at org.apache.phoenix.jdbc.PhoenixStatement.executeMutation(PhoenixStatement.java:330)
> at org.apache.phoenix.jdbc.PhoenixStatement.execute(PhoenixStatement.java:1440)
> at sqlline.Commands.execute(Commands.java:822)
> at sqlline.Commands.sql(Commands.java:732)
> at sqlline.SqlLine.dispatch(SqlLine.java:808)
> at sqlline.SqlLine.begin(SqlLine.java:681)
> at sqlline.SqlLine.start(SqlLine.java:398)
> at sqlline.SqlLine.main(SqlLine.java:292)
> Caused by: java.util.concurrent.ExecutionException: org.apache.phoenix.exception.PhoenixIOException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=user01t01@EXAMPLE.COM,
scope=SYSTEM:STATS, family=0:, params=[table=SYSTEM:STATS,family=0:],action=WRITE)
> at org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1701)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:941)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1692)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:937)
> at org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook(HRegion.java:3055)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3019)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2965)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commitBatch(UngroupedAggregateRegionObserver.java:225)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commit(UngroupedAggregateRegionObserver.java:764)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.doPostScannerOpen(UngroupedAggregateRegionObserver.java:667)
> at org.apache.phoenix.coprocessor.BaseScannerRegionObserver.postScannerOpen(BaseScannerRegionObserver.java:237)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$52.call(RegionCoprocessorHost.java:1301)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperationWithResult(RegionCoprocessorHost.java:1699)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.postScannerOpen(RegionCoprocessorHost.java:1296)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.scan(RSRpcServices.java:2404)
> at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:32385)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2150)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:112)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:187)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:167)
> at java.util.concurrent.FutureTask.report(FutureTask.java:122)
> at java.util.concurrent.FutureTask.get(FutureTask.java:206)
> at org.apache.phoenix.iterate.BaseResultIterators.getIterators(BaseResultIterators.java:775)
> ... 27 more
> Caused by: org.apache.phoenix.exception.PhoenixIOException: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions (user=user01t01@EXAMPLE.COM, scope=SYSTEM:STATS, family=0:, params=[table=SYSTEM:STATS,family=0:],action=WRITE)
> at org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1701)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:941)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1692)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:937)
> at org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook(HRegion.java:3055)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3019)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2965)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commitBatch(UngroupedAggregateRegionObserver.java:225)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commit(UngroupedAggregateRegionObserver.java:764)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.doPostScannerOpen(UngroupedAggregateRegionObserver.java:667)
> at org.apache.phoenix.coprocessor.BaseScannerRegionObserver.postScannerOpen(BaseScannerRegionObserver.java:237)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$52.call(RegionCoprocessorHost.java:1301)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperationWithResult(RegionCoprocessorHost.java:1699)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.postScannerOpen(RegionCoprocessorHost.java:1296)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.scan(RSRpcServices.java:2404)
> at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:32385)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2150)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:112)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:187)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:167)
> at org.apache.phoenix.util.ServerUtil.parseServerException(ServerUtil.java:117)
> at org.apache.phoenix.iterate.TableResultIterator.initScanner(TableResultIterator.java:252)
> at org.apache.phoenix.iterate.ParallelIterators$1.call(ParallelIterators.java:113)
> at org.apache.phoenix.iterate.ParallelIterators$1.call(ParallelIterators.java:108)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at org.apache.phoenix.job.JobManager$InstrumentedJobFutureTask.run(JobManager.java:183)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions (user=user01t01@EXAMPLE.COM, scope=SYSTEM:STATS, family=0:, params=[table=SYSTEM:STATS,family=0:],action=WRITE)
> at org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1701)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:941)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1692)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:937)
> at org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook(HRegion.java:3055)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3019)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2965)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commitBatch(UngroupedAggregateRegionObserver.java:225)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commit(UngroupedAggregateRegionObserver.java:764)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.doPostScannerOpen(UngroupedAggregateRegionObserver.java:667)
> at org.apache.phoenix.coprocessor.BaseScannerRegionObserver.postScannerOpen(BaseScannerRegionObserver.java:237)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$52.call(RegionCoprocessorHost.java:1301)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperationWithResult(RegionCoprocessorHost.java:1699)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.postScannerOpen(RegionCoprocessorHost.java:1296)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.scan(RSRpcServices.java:2404)
> at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:32385)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2150)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:112)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:187)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:167)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:106)
> at org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:95)
> at org.apache.hadoop.hbase.protobuf.ProtobufUtil.getRemoteException(ProtobufUtil.java:335)
> at org.apache.hadoop.hbase.client.ScannerCallable.openScanner(ScannerCallable.java:391)
> at org.apache.hadoop.hbase.client.ScannerCallable.call(ScannerCallable.java:208)
> at org.apache.hadoop.hbase.client.ScannerCallable.call(ScannerCallable.java:63)
> at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithoutRetries(RpcRetryingCaller.java:211)
> at org.apache.hadoop.hbase.client.ScannerCallableWithReplicas$RetryingRPC.call(ScannerCallableWithReplicas.java:396)
> at org.apache.hadoop.hbase.client.ScannerCallableWithReplicas$RetryingRPC.call(ScannerCallableWithReplicas.java:370)
> at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:136)
> at org.apache.hadoop.hbase.client.ResultBoundedCompletionService$QueueingFuture.run(ResultBoundedCompletionService.java:80)
> ... 3 more
> Caused by: org.apache.hadoop.hbase.ipc.RemoteWithExtrasException(org.apache.hadoop.hbase.security.AccessDeniedException):
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=user01t01@EXAMPLE.COM,
scope=SYSTEM:STATS, family=0:, params=[table=SYSTEM:STATS,family=0:],action=WRITE)
> at org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1701)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:941)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1692)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:937)
> at org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook(HRegion.java:3055)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3019)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2965)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commitBatch(UngroupedAggregateRegionObserver.java:225)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.commit(UngroupedAggregateRegionObserver.java:764)
> at org.apache.phoenix.coprocessor.UngroupedAggregateRegionObserver.doPostScannerOpen(UngroupedAggregateRegionObserver.java:667)
> at org.apache.phoenix.coprocessor.BaseScannerRegionObserver.postScannerOpen(BaseScannerRegionObserver.java:237)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$52.call(RegionCoprocessorHost.java:1301)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperationWithResult(RegionCoprocessorHost.java:1699)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.postScannerOpen(RegionCoprocessorHost.java:1296)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.scan(RSRpcServices.java:2404)
> at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:32385)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2150)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:112)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:187)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:167)
> at org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1227)
> at org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:218)
> at org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:292)
> at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingStub.scan(ClientProtos.java:32831)
> at org.apache.hadoop.hbase.client.ScannerCallable.openScanner(ScannerCallable.java:383)
> ... 10 more
> {code}
>  
> Workaround:
> Give Write (W) permissions to Users Group SYSTEM:STATS Table.
> > grant '@group', 'RWX' , 'SYSTEM:STATS'
> This is a security concern as they can create/alter/drop/corrupt STATS data of any other
table without proper access to the corresponding physical tables.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message