This is an automated email from the ASF dual-hosted git repository.
chinmayskulkarni pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/phoenix.git
The following commit(s) were added to refs/heads/master by this push:
new 33d6b34 PHOENIX-5374: Incorrect exception thrown in some cases when
client does not have Exec permissions on SYSTEM:CATALOG
33d6b34 is described below
commit 33d6b3414078b1a429be056f271bfd0ac8c7f158
Author: Chinmay Kulkarni <[email protected]>
AuthorDate: Tue Jun 25 22:36:23 2019 -0700
PHOENIX-5374: Incorrect exception thrown in some cases when client does not
have Exec permissions on SYSTEM:CATALOG
---
.../phoenix/end2end/PermissionNSEnabledIT.java | 49 ++++++++++++++++++++++
.../phoenix/query/ConnectionQueryServicesImpl.java | 10 +++--
2 files changed, 56 insertions(+), 3 deletions(-)
diff --git
a/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java
b/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java
index 22fc297..36fdafc 100644
---
a/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java
+++
b/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java
@@ -17,13 +17,23 @@
*/
package org.apache.phoenix.end2end;
+import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.access.AccessControlClient;
import org.apache.hadoop.hbase.security.access.Permission;
+import org.apache.phoenix.exception.SQLExceptionCode;
+import org.apache.phoenix.util.SchemaUtil;
import org.junit.BeforeClass;
import org.junit.Test;
import java.security.PrivilegedExceptionAction;
+import java.sql.Connection;
+import java.sql.SQLException;
+
+import static
org.apache.phoenix.jdbc.PhoenixDatabaseMetaData.SYSTEM_CATALOG_TABLE;
+import static
org.apache.phoenix.jdbc.PhoenixDatabaseMetaData.SYSTEM_SCHEMA_NAME;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
public class PermissionNSEnabledIT extends BasePermissionsIT {
@@ -67,4 +77,43 @@ public class PermissionNSEnabledIT extends BasePermissionsIT
{
revokeAll();
}
}
+
+ @Test
+ public void testConnectionCreationFailsWhenNoExecPermsOnSystemCatalog()
throws Throwable {
+ try {
+ grantSystemTableAccess();
+ superUser1.runAs((PrivilegedExceptionAction<Object>) () -> {
+ TableName systemCatalogTableName =
+ TableName.valueOf(SchemaUtil.getPhysicalHBaseTableName(
+ SYSTEM_SCHEMA_NAME, SYSTEM_CATALOG_TABLE,
true).getString());
+ try {
+ // Revoke Exec permissions for SYSTEM CATALOG for the
unprivileged user
+ AccessControlClient.revoke(getUtility().getConnection(),
systemCatalogTableName,
+ unprivilegedUser.getShortName(), null, null,
Permission.Action.EXEC);
+ } catch (Throwable t) {
+ if (t instanceof Exception) {
+ throw (Exception)t;
+ } else {
+ throw new Exception(t);
+ }
+ }
+ return null;
+ });
+ unprivilegedUser.runAs((PrivilegedExceptionAction<Void>) () -> {
+ try (Connection ignored = getConnection()) {
+ // We expect this to throw a wrapped AccessDeniedException.
+ fail("Should have failed with a wrapped
AccessDeniedException");
+ } catch (Throwable ex) {
+ assertTrue("Should not get an incompatible jars exception",
+ ex instanceof SQLException &&
((SQLException)ex).getErrorCode() !=
+
SQLExceptionCode.INCOMPATIBLE_CLIENT_SERVER_JAR.getErrorCode());
+ assertTrue("Expected a wrapped AccessDeniedException",
+ ex.getCause() instanceof AccessDeniedException);
+ }
+ return null;
+ });
+ } finally {
+ revokeAll();
+ }
+ }
}
diff --git
a/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java
b/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java
index d5d3d34..e2eb079 100644
---
a/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java
+++
b/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java
@@ -1365,8 +1365,12 @@ public class ConnectionQueryServicesImpl extends
DelegateQueryServices implement
return MetaDataUtil.areClientAndServerCompatible(serverVersion);
}
- private void checkClientServerCompatibility(byte[] metaTable) throws
SQLException {
- StringBuilder buf = new StringBuilder("Newer Phoenix clients can't
communicate with older Phoenix servers. The following servers require an
updated " + QueryConstants.DEFAULT_COPROCESS_JAR_NAME + " to be put in the
classpath of HBase: ");
+ private void checkClientServerCompatibility(byte[] metaTable) throws
SQLException,
+ AccessDeniedException {
+ StringBuilder buf = new StringBuilder("Newer Phoenix clients can't
communicate with older "
+ + "Phoenix servers. The following servers require an updated "
+ + QueryConstants.DEFAULT_COPROCESS_JAR_NAME
+ + " to be put in the classpath of HBase: ");
boolean isIncompatible = false;
int minHBaseVersion = Integer.MAX_VALUE;
boolean isTableNamespaceMappingEnabled = false;
@@ -1435,7 +1439,7 @@ public class ConnectionQueryServicesImpl extends
DelegateQueryServices implement
+ " is consistent on client and server.")
.build().buildException(); }
lowestClusterHBaseVersion = minHBaseVersion;
- } catch (SQLException e) {
+ } catch (SQLException | AccessDeniedException e) {
throw e;
} catch (Throwable t) {
// This is the case if the "phoenix.jar" is not on the classpath
of HBase on the region server
