[jira] [Commented] (PHOENIX-2717) Unable to login if no "create" permission in HBase

Fri, 04 Mar 2016 04:20:54 -0800 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-2717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15179812#comment-15179812
 ] 

Rajeshbabu Chintaguntla commented on PHOENIX-2717:
--------------------------------------------------

[~mathias.kluba]
bq. When I try to connect to "hbase" using phoenix client, it crashes because 
of "Access Denied" exception.
With which user you are trying to connect to connect to HBase from phoenix 
client. Ambari should have added policy to access system tables by any user so 
then you should not get Access Denied exception. Can you please provide the 
policies for HBase?

> Unable to login if no "create" permission in HBase
> --------------------------------------------------
>
>                 Key: PHOENIX-2717
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-2717
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.4.0
>         Environment: HDP 2.3.4
>            Reporter: mathias kluba
>            Priority: Blocker
>
> I'm using HBase with Ranger, but I guess that we could have the same issue 
> with internal HBase permission system.
> When I try to connect to "hbase" using phoenix client, it crashes because of 
> "Access Denied" exception.
> The phoenix client try to create the SYSTEM.CATALOG table (and other SYSTEM 
> tables) and catch only 2 exceptions :
> NewerTableAlreadyExistsException and TableAlreadyExistsException 
> It doesn't catch the "access denied" exception.
> https://github.com/apache/phoenix/blob/master/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L2279
> In the end, I'm not able to connect to HBase using Phoenix for read purpose, 
> I don't need to be able to create these SYSTEM tables...
> I think that the code is a little bit dirty: it should check the existence of 
> the table instead of trying to create it and catch exception.
> I have a workaround for now: I grant the "create" permission in Ranger for 
> "SYSTEM.*" tables: they already exist before the user try to connect, so it's 
> not a problem to give them this access.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to