[ https://issues.apache.org/jira/browse/PHOENIX-4528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16326768#comment-16326768 ]
ASF GitHub Bot commented on PHOENIX-4528: ----------------------------------------- Github user karanmehta93 commented on a diff in the pull request: https://github.com/apache/phoenix/pull/289#discussion_r161662712 --- Diff: phoenix-core/src/it/java/org/apache/phoenix/end2end/ChangePermissionsIT.java --- @@ -267,4 +267,26 @@ public void testMultiTenantTables() throws Exception { verifyAllowed(readMultiTenantTableWithIndex(VIEW1_TABLE_NAME, "o1"), regularUser2); verifyAllowed(readMultiTenantTableWithoutIndex(VIEW2_TABLE_NAME, "o2"), regularUser2); } + + /** + * Grant RX permissions on the schema to regularUser1, + * Creating view on a table with that schema by regularUser1 should be allowed + */ + @Test + public void testCreateViewOnTableWithRXPermsOnSchema() throws Exception { + + startNewMiniCluster(); + grantSystemTableAccess(superUser1, regularUser1, regularUser2, regularUser3); + + if(isNamespaceMapped) { + verifyAllowed(createSchema(SCHEMA_NAME), superUser1); + verifyAllowed(createTable(FULL_TABLE_NAME), superUser1); + verifyAllowed(grantPermissions("RX", regularUser1, SCHEMA_NAME, true), superUser1); + } else { + verifyAllowed(createTable(FULL_TABLE_NAME), superUser1); + verifyAllowed(grantPermissions("RX", regularUser1, surroundWithDoubleQuotes(SchemaUtil.SCHEMA_FOR_DEFAULT_NAMESPACE), true), superUser1); + } + + verifyAllowed(createView(VIEW1_TABLE_NAME, FULL_TABLE_NAME), regularUser1); + } --- End diff -- If the user has access on the SCHEMA of FULL_TABLE_NAME, that should be sufficient, since namespace is bigger in scope that per table scope. Hence I merge all these permissions and then use the `hasAccess()` method to determine the final access. > PhoenixAccessController checks permissions only at table level when creating > views > ---------------------------------------------------------------------------------- > > Key: PHOENIX-4528 > URL: https://issues.apache.org/jira/browse/PHOENIX-4528 > Project: Phoenix > Issue Type: Bug > Reporter: Karan Mehta > Assignee: Karan Mehta > Priority: Major > Attachments: PHOENIX-4528.001.patch, PHOENIX-4528.repro-test.diff > > > The {{PhoenixAccessController#preCreateTable()}} method is invoked everytime > a user wants to create a view on a base table. The {{requireAccess()}} method > takes in tableName as the parameter and checks for user permissions only at > that table level. The correct approach is to also check permissions at > namespace level, since it is at a larger scope than per table level. > For example, if the table name is {{TEST_SCHEMA.TEST_TABLE}}, it will created > as {{TEST_SCHEMA:TEST_TABLE}} HBase table is namespace mapping is enabled. > View creation on this table would fail if permissions are granted to just > {{TEST_SCHEMA}} and not on {{TEST_TABLE}}. It works correctly if same > permissions are granted at table level too. > FYI. [~ankit.singhal] [~twdsi...@gmail.com] -- This message was sent by Atlassian JIRA (v7.6.3#76005)