[
https://issues.apache.org/jira/browse/PHOENIX-6579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Soldatov updated PHOENIX-6579:
-------------------------------------
Description:
When the namespace mapping and ACLs are enabled and the user tries to create a
view on top of the existing HBase table, the query would fail if he doesn't
have permissions for the default namespace.
{noformat}
*Error: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions (user=admin/[email protected], scope=default:my_ns.my_table,
action=[READ])
at
org.apache.phoenix.coprocessor.PhoenixAccessController.requireAccess(PhoenixAccessController.java:606)
at
org.apache.phoenix.coprocessor.PhoenixAccessController.preCreateTable(PhoenixAccessController.java:201)
at
org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:171)
at
org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:168)
at
org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$PhoenixObserverOperation.callObserver(PhoenixMetaDataCoprocessorHost.java:86)
at
org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.execOperation(PhoenixMetaDataCoprocessorHost.java:106)
at
org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.preCreateTable(PhoenixMetaDataCoprocessorHost.java:168)
at
org.apache.phoenix.coprocessor.MetaDataEndpointImpl.createTable(MetaDataEndpointImpl.java:1900)
at
org.apache.phoenix.coprocessor.generated.MetaDataProtos$MetaDataService.callMethod(MetaDataProtos.java:17317)
at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8313)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2499)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2481)
at
org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42286)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:418)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:133)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:338)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:318)
(state=08000,code=101)
{noformat}
That happens because in the MetaData endpoint implementation we are still using
_SchemaUtil.getTableNameAsBytes(schemaName, tableName)_ for the mapped view
which knows nothing about namespace mapping, so the ACL check is going against
'default:schema.table'. It could be fixed easy by replacing the call with
_SchemaUtil.getPhysicalHBaseTableName(schemaName, tableName,
isNamespaceMapped).getBytes();_
was:
When the namespace mapping and ACLs are enabled and the user tries to create a
view on top of the existing HBase table, the query would fail if he doesn't
have permissions for the default namespace.
{noformat}
*Error: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions (user=admin/[email protected],
scope=default:my_ns.my_table, action=[READ])
at
org.apache.phoenix.coprocessor.PhoenixAccessController.requireAccess(PhoenixAccessController.java:606)
at
org.apache.phoenix.coprocessor.PhoenixAccessController.preCreateTable(PhoenixAccessController.java:201)
at
org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:171)
at
org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:168)
at
org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$PhoenixObserverOperation.callObserver(PhoenixMetaDataCoprocessorHost.java:86)
at
org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.execOperation(PhoenixMetaDataCoprocessorHost.java:106)
at
org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.preCreateTable(PhoenixMetaDataCoprocessorHost.java:168)
at
org.apache.phoenix.coprocessor.MetaDataEndpointImpl.createTable(MetaDataEndpointImpl.java:1900)
at
org.apache.phoenix.coprocessor.generated.MetaDataProtos$MetaDataService.callMethod(MetaDataProtos.java:17317)
at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8313)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2499)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2481)
at
org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42286)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:418)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:133)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:338)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:318)
(state=08000,code=101)
{noformat}
That happens because in the MetaData endpoint implementation we are still using
_SchemaUtil.getTableNameAsBytes(schemaName, tableName)_ for the mapped view
which knows nothing about namespace mapping, so the ACL check is going against
'default:schema.table'. It could be fixed easy by replacing the call with
_SchemaUtil.getPhysicalHBaseTableName(schemaName, tableName,
isNamespaceMapped).getBytes();_
> ACL check doesn't honor the namespace mapping for mapped views.
> ---------------------------------------------------------------
>
> Key: PHOENIX-6579
> URL: https://issues.apache.org/jira/browse/PHOENIX-6579
> Project: Phoenix
> Issue Type: Bug
> Components: core
> Affects Versions: 5.1.2
> Reporter: Sergey Soldatov
> Assignee: Sergey Soldatov
> Priority: Major
>
> When the namespace mapping and ACLs are enabled and the user tries to create
> a view on top of the existing HBase table, the query would fail if he doesn't
> have permissions for the default namespace.
> {noformat}
> *Error: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions (user=admin/[email protected], scope=default:my_ns.my_table,
> action=[READ])
> at
> org.apache.phoenix.coprocessor.PhoenixAccessController.requireAccess(PhoenixAccessController.java:606)
> at
> org.apache.phoenix.coprocessor.PhoenixAccessController.preCreateTable(PhoenixAccessController.java:201)
> at
> org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:171)
> at
> org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:168)
> at
> org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$PhoenixObserverOperation.callObserver(PhoenixMetaDataCoprocessorHost.java:86)
> at
> org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.execOperation(PhoenixMetaDataCoprocessorHost.java:106)
> at
> org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.preCreateTable(PhoenixMetaDataCoprocessorHost.java:168)
> at
> org.apache.phoenix.coprocessor.MetaDataEndpointImpl.createTable(MetaDataEndpointImpl.java:1900)
> at
> org.apache.phoenix.coprocessor.generated.MetaDataProtos$MetaDataService.callMethod(MetaDataProtos.java:17317)
> at
> org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8313)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2499)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2481)
> at
> org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42286)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:418)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:133)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:338)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:318)
> (state=08000,code=101)
> {noformat}
> That happens because in the MetaData endpoint implementation we are still
> using _SchemaUtil.getTableNameAsBytes(schemaName, tableName)_ for the mapped
> view which knows nothing about namespace mapping, so the ACL check is going
> against 'default:schema.table'. It could be fixed easy by replacing the call
> with _SchemaUtil.getPhysicalHBaseTableName(schemaName, tableName,
> isNamespaceMapped).getBytes();_
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
