[jira] [Commented] (PHOENIX-3756) Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix

Mon, 03 Apr 2017 13:47:57 -0700 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954146#comment-15954146
 ] 

James Taylor commented on PHOENIX-3756:
---------------------------------------

Patch looks good to me, but maybe one possible issue: is there a possibility 
that the AccessDeniedException would be further down the cause chain?
{code}
+                                } catch (PhoenixIOException e) {
+                                    if (e.getCause() instanceof 
AccessDeniedException) {
+                                        // Pass
+                                        logger.warn("Could not check for 
Phoenix SYSTEM tables, assuming they exist and are properly configured");
+                                        success = true;
+                                    } else {
+                                        initializationException = e;
+                                    }
+                                    return null;
{code}
If so, would it be better to use {{if (Throwables.getRootCause(e) instanceof 
AccessDeniedException}} or {{if (ExceptionUtils.getRootCause() instanceof 
AccessDeniedException)}}?

> Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
> ------------------------------------------------------------------------
>
>                 Key: PHOENIX-3756
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3756
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.11.0
>
>         Attachments: PHOENIX-3756.001.patch, PHOENIX-3756.002.patch, 
> PHOENIX-3756.003.patch, PHOENIX-3756.004.patch
>
>
> Follow-on from PHOENIX-3652:
> The fix provided in PHOENIX-3652 addressed the default situation where users 
> would need ADMIN on the default HBase namespace. However, when 
> {{phoenix.schema.isNamespaceMappingEnabled=true}} and Phoenix creates its 
> system tables in the {{SYSTEM}} HBase namespace, unprivileged users (those 
> lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix.
> The root-cause is essentially the same: the code tries to fetch the 
> {{NamespaceDescriptor}} for the {{SYSTEM}} namespace which requires the ADMIN 
> permission.
> https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to