[
https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15949614#comment-15949614
]
Josh Elser commented on PHOENIX-3756:
-------------------------------------
Turns out that when [~sergey.soldatov] was looking at PHOENIX-3652 initially,
he mocked up a fix by catching the {{AccessDeniedException}} being thrown from
the server and essentially breaking out of the system table check.
This does prevent the fail-fast case when the system tables don't exist, but we
don't really have a way around this for unprivileged users.
Will attach the patch I got working locally (again, really Sergey's work!)
shortly.
> Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
> ------------------------------------------------------------------------
>
> Key: PHOENIX-3756
> URL: https://issues.apache.org/jira/browse/PHOENIX-3756
> Project: Phoenix
> Issue Type: Bug
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 4.11.0
>
>
> Follow-on from PHOENIX-3652:
> The fix provided in PHOENIX-3652 addressed the default situation where users
> would need ADMIN on the default HBase namespace. However, when
> {{phoenix.schema.isNamespaceMappingEnabled=true}} and Phoenix creates its
> system tables in the {{SYSTEM}} HBase namespace, unprivileged users (those
> lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix.
> The root-cause is essentially the same: the code tries to fetch the
> {{NamespaceDescriptor}} for the {{SYSTEM}} namespace which requires the ADMIN
> permission.
> https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
