[jira] [Commented] (PHOENIX-3756) Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix

Tue, 04 Apr 2017 23:30:07 -0700 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15956375#comment-15956375
 ] 

Ankit Singhal commented on PHOENIX-3756:
----------------------------------------

Thanks [~elserj] for the amendments, just one more fix and then we are good to 
go.

ensureNamespaceCreated is used by "CREATE SCHEMA " also, so please don't catch 
anything there and let the underprivileged user see the actual exception that 
can be sometimes accessDeniedException.

You just need to silently catch it for SYSTEM namespace in 
ensureSystemTablesUpgraded as per 
[comment|https://issues.apache.org/jira/browse/PHOENIX-3756?focusedCommentId=15955446&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15955446]
 

{code}
private boolean ensureSystemTablesUpgraded(ReadOnlyProps props)
            throws SQLException, IOException, IllegalArgumentException, 
InterruptedException {
        if (!SchemaUtil.isNamespaceMappingEnabled(PTableType.SYSTEM, props)) { 
return true; }
        HTableInterface metatable = null;
        try (HBaseAdmin admin = getAdmin()) {
            // Namespace-mapping is enabled at this point.
            try {
                ensureNamespaceCreated(QueryConstants.SYSTEM_SCHEMA_NAME);
            } catch (PhoenixIOException e) {
               
            }
    
{code}

> Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
> ------------------------------------------------------------------------
>
>                 Key: PHOENIX-3756
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3756
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.11.0
>
>         Attachments: PHOENIX-3756.001.patch, PHOENIX-3756.002.patch, 
> PHOENIX-3756.003.patch, PHOENIX-3756.004.patch, PHOENIX-3756.005.patch, 
> PHOENIX-3756.006.patch
>
>
> Follow-on from PHOENIX-3652:
> The fix provided in PHOENIX-3652 addressed the default situation where users 
> would need ADMIN on the default HBase namespace. However, when 
> {{phoenix.schema.isNamespaceMappingEnabled=true}} and Phoenix creates its 
> system tables in the {{SYSTEM}} HBase namespace, unprivileged users (those 
> lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix.
> The root-cause is essentially the same: the code tries to fetch the 
> {{NamespaceDescriptor}} for the {{SYSTEM}} namespace which requires the ADMIN 
> permission.
> https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to