Richárd Antal created PHOENIX-7474:
--------------------------------------
Summary: Migrate IndexTool tables and make sure they are created
Key: PHOENIX-7474
URL: https://issues.apache.org/jira/browse/PHOENIX-7474
Project: Phoenix
Issue Type: Bug
Reporter: Richárd Antal
IndexTool uses 2 native HBase tables PHOENIX_INDEX_TOOL and
PHOENIX_INDEX_TOOL_RESULT that were not under SYSTEM namespace/scheme
When creating an ASYNC index and running the indexTool with a user that have
'RX' premission ON SCHEMA SYSTEM and 'RWX' ON SYSTEM.CATALOG
We could face a AccessDeniedException (action=create)
It is because IndexTool tries to create the above tables if they are not yet
present.
Some user don't have permission for that but they would have permission to
create and index on a give table otherwise.
To solve this we should create these tables similarly to other system tables.
Also we should have these under SYSTEM schema/namespace.
Steps to reproduce the issue:
# Create test user (testuser2) on cluster
# With admin permissions in phoenix:
** Create SCHEMA:
*** CREATE SCHEMA IF NOT EXISTS test_schema2;
** Grants for testuser2:
*** GRANT 'RX' ON SCHEMA SYSTEM TO 'testuser2';
GRANT 'CRW' ON SCHEMA test_schema2 TO 'testuser2';
# With testuser2:
** Create Table:
*** CREATE TABLE test_schema2.table2 (id BIGINT not null primary key, date
Date, amount INTEGER);
*** {color:#ff0000}Error{color}:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user ‘testus...@root.comops.site',action: delete,
tableName:SYSTEM:CATALOG, family:0, column: TRANSACTION_PROVIDER
# With admin:
** Grant testuser2:
*** GRANT 'RWX' ON SYSTEM.CATALOG TO 'testuser2';
# testuser2:
** Create Table and Indices:
*** CREATE TABLE test_schema2.table2 (id BIGINT not null primary key, date
Date, amount INTEGER);
*** CREATE INDEX test_index3 ON test_schema2.table2(date DESC);
*** CREATE INDEX test_index4 ON test_schema2.table2(date DESC) ASYNC;
** Run IndexTool:
*** hbase org.apache.phoenix.mapreduce.index.IndexTool --schema test_schema2
--data-table table2 --index-table test_index4 --output-path /tmp/
*** {color:#ff0000}Error{color}: An exception occurred while performing the
indexing job: AccessDeniedException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'testu...@root.comops.site' (action=create)
Creating a dummy ASYNC index with admin or GRANT 'C' TO 'testuser2'; resolves
this error
*
** IndexTool Again:
*** {color:#ff0000}Error{color}: Caused by:
org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
Permission denied: user=testuser2, access=WRITE,
inode="/user":hdfs:supergroup:drwxr-xr-x
# hdfs admin:
** hdfs dfs -mkdir /user/testuser2
hdfs dfs -chown testuser2 /user/testuser2
hdfs dfs -chmod -R 770 /user/testuser2
# testuser2:
** IndexTool Again
Job sumbitted and run succesfully. TEST_INDEX4 is shown as "ACTIVE" in phoenix.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
