[ https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15955477#comment-15955477 ]
Josh Elser commented on PHOENIX-3756: ------------------------------------- bq. we should not be returning early here, Ignore the exception and let "(tableNames.size() == 0) { return true; }" to take care the flow. NamespaceNotExist Exception will be thrown if non upgraded system table exists otherwise client can fail in later stage while accessing namespace mapped system tables. The problem here was the case where the system tables exist and are properly configured, the client fails to connect as they receive the same AccessDeniedException trying to access the {{NamespaceDescriptor}}. I was intending to just ignore the whole issue of non-upgrade system tables. I guess we need to somehow differentiate between "we couldn't determine if the namespace exists" and "we couldn't create the namespace". I think they're both treated similarly now. Last I looked at the API, there was no similar method that allowed us to list the namespaces, like exists for tables. Let me double check. > Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix > ------------------------------------------------------------------------ > > Key: PHOENIX-3756 > URL: https://issues.apache.org/jira/browse/PHOENIX-3756 > Project: Phoenix > Issue Type: Bug > Reporter: Josh Elser > Assignee: Josh Elser > Fix For: 4.11.0 > > Attachments: PHOENIX-3756.001.patch, PHOENIX-3756.002.patch, > PHOENIX-3756.003.patch, PHOENIX-3756.004.patch, PHOENIX-3756.005.patch > > > Follow-on from PHOENIX-3652: > The fix provided in PHOENIX-3652 addressed the default situation where users > would need ADMIN on the default HBase namespace. However, when > {{phoenix.schema.isNamespaceMappingEnabled=true}} and Phoenix creates its > system tables in the {{SYSTEM}} HBase namespace, unprivileged users (those > lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix. > The root-cause is essentially the same: the code tries to fetch the > {{NamespaceDescriptor}} for the {{SYSTEM}} namespace which requires the ADMIN > permission. > https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037 -- This message was sent by Atlassian JIRA (v6.3.15#6346)