[jira] [Commented] (PHOENIX-3756) Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix

Tue, 04 Apr 2017 10:36:54 -0700 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15955477#comment-15955477
 ] 

Josh Elser commented on PHOENIX-3756:
-------------------------------------

bq. we should not be returning early here, Ignore the exception and let 
"(tableNames.size() == 0) { return true; }" to take care the flow. 
NamespaceNotExist Exception will be thrown if non upgraded system table exists 
otherwise client can fail in later stage while accessing namespace mapped 
system tables.

The problem here was the case where the system tables exist and are properly 
configured, the client fails to connect as they receive the same 
AccessDeniedException trying to access the {{NamespaceDescriptor}}. I was 
intending to just ignore the whole issue of non-upgrade system tables.

I guess we need to somehow differentiate between "we couldn't determine if the 
namespace exists" and "we couldn't create the namespace". I think they're both 
treated similarly now. Last I looked at the API, there was no similar method 
that allowed us to list the namespaces, like exists for tables. Let me double 
check.

> Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
> ------------------------------------------------------------------------
>
>                 Key: PHOENIX-3756
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3756
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.11.0
>
>         Attachments: PHOENIX-3756.001.patch, PHOENIX-3756.002.patch, 
> PHOENIX-3756.003.patch, PHOENIX-3756.004.patch, PHOENIX-3756.005.patch
>
>
> Follow-on from PHOENIX-3652:
> The fix provided in PHOENIX-3652 addressed the default situation where users 
> would need ADMIN on the default HBase namespace. However, when 
> {{phoenix.schema.isNamespaceMappingEnabled=true}} and Phoenix creates its 
> system tables in the {{SYSTEM}} HBase namespace, unprivileged users (those 
> lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix.
> The root-cause is essentially the same: the code tries to fetch the 
> {{NamespaceDescriptor}} for the {{SYSTEM}} namespace which requires the ADMIN 
> permission.
> https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to