[jira] [Commented] (PHOENIX-4528) PhoenixAccessController checks permissions only at table level when creating views

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/PHOENIX-4528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16326768#comment-16326768
 ] 

ASF GitHub Bot commented on PHOENIX-4528:
-----------------------------------------

Github user karanmehta93 commented on a diff in the pull request:

    https://github.com/apache/phoenix/pull/289#discussion_r161662712
  
    --- Diff: 
phoenix-core/src/it/java/org/apache/phoenix/end2end/ChangePermissionsIT.java ---
    @@ -267,4 +267,26 @@ public void testMultiTenantTables() throws Exception {
             verifyAllowed(readMultiTenantTableWithIndex(VIEW1_TABLE_NAME, 
"o1"), regularUser2);
             verifyAllowed(readMultiTenantTableWithoutIndex(VIEW2_TABLE_NAME, 
"o2"), regularUser2);
         }
    +
    +    /**
    +     * Grant RX permissions on the schema to regularUser1,
    +     * Creating view on a table with that schema by regularUser1 should be 
allowed
    +     */
    +    @Test
    +    public void testCreateViewOnTableWithRXPermsOnSchema() throws 
Exception {
    +
    +        startNewMiniCluster();
    +        grantSystemTableAccess(superUser1, regularUser1, regularUser2, 
regularUser3);
    +
    +        if(isNamespaceMapped) {
    +            verifyAllowed(createSchema(SCHEMA_NAME), superUser1);
    +            verifyAllowed(createTable(FULL_TABLE_NAME), superUser1);
    +            verifyAllowed(grantPermissions("RX", regularUser1, 
SCHEMA_NAME, true), superUser1);
    +        } else {
    +            verifyAllowed(createTable(FULL_TABLE_NAME), superUser1);
    +            verifyAllowed(grantPermissions("RX", regularUser1, 
surroundWithDoubleQuotes(SchemaUtil.SCHEMA_FOR_DEFAULT_NAMESPACE), true), 
superUser1);
    +        }
    +
    +        verifyAllowed(createView(VIEW1_TABLE_NAME, FULL_TABLE_NAME), 
regularUser1);
    +    }
    --- End diff --
    
    If the user has access on the SCHEMA of FULL_TABLE_NAME, that should be 
sufficient, since namespace is bigger in scope that per table scope. Hence I 
merge all these permissions and then use the `hasAccess()` method to determine 
the final access.


> PhoenixAccessController checks permissions only at table level when creating 
> views
> ----------------------------------------------------------------------------------
>
>                 Key: PHOENIX-4528
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4528
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Karan Mehta
>            Assignee: Karan Mehta
>            Priority: Major
>         Attachments: PHOENIX-4528.001.patch, PHOENIX-4528.repro-test.diff
>
>
> The {{PhoenixAccessController#preCreateTable()}} method is invoked everytime 
> a user wants to create a view on a base table. The {{requireAccess()}} method 
> takes in tableName as the parameter and checks for user permissions only at 
> that table level. The correct approach is to also check permissions at 
> namespace level, since it is at a larger scope than per table level.
> For example, if the table name is {{TEST_SCHEMA.TEST_TABLE}}, it will created 
> as {{TEST_SCHEMA:TEST_TABLE}} HBase table is namespace mapping is enabled. 
> View creation on this table would fail if permissions are granted to just 
> {{TEST_SCHEMA}} and not on {{TEST_TABLE}}. It works correctly if same 
> permissions are granted at table level too.
> FYI. [~ankit.singhal] [~twdsi...@gmail.com]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)