[jira] [Assigned] (PHOENIX-7474) Migrate IndexTool tables and make sure they are created

Wed, 04 Dec 2024 23:36:08 -0800 


     [ 
https://issues.apache.org/jira/browse/PHOENIX-7474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth reassigned PHOENIX-7474:
------------------------------------

    Assignee: Richárd Antal

> Migrate IndexTool tables and make sure they are created
> -------------------------------------------------------
>
>                 Key: PHOENIX-7474
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-7474
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Richárd Antal
>            Assignee: Richárd Antal
>            Priority: Major
>
> IndexTool uses 2 native HBase tables PHOENIX_INDEX_TOOL and 
> PHOENIX_INDEX_TOOL_RESULT that were not under SYSTEM namespace/scheme
> When creating an ASYNC index and running the indexTool with a user that have 
> 'RX' premission ON SCHEMA SYSTEM and 'RWX' ON SYSTEM.CATALOG
> We could face a AccessDeniedException (action=create)
> It is because IndexTool tries to create the above tables if they are not yet 
> present.
> Some user don't have permission for that but they would have permission to 
> create and index on a give table otherwise.
> To solve this we should create these tables similarly to other system tables.
> Also we should have these under SYSTEM schema/namespace.
> Steps to reproduce the issue:
>  # Create test user (testuser2) on cluster
>  # With admin permissions in phoenix:
>  ** Create SCHEMA:
>  *** CREATE SCHEMA IF NOT EXISTS test_schema2;
>  ** Grants for testuser2:
>  *** GRANT 'RX' ON SCHEMA SYSTEM TO 'testuser2';
> GRANT 'CRW' ON SCHEMA test_schema2 TO 'testuser2';
>  # With testuser2:
>  ** Create Table:
>  *** CREATE TABLE test_schema2.table2 (id BIGINT not null primary key, date 
> Date, amount INTEGER);
>  *** {color:#ff0000}Error{color}: 
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
> permissions for user ‘testus...@root.comops.site',action: delete, 
> tableName:SYSTEM:CATALOG, family:0, column: TRANSACTION_PROVIDER
>  # With admin:
>  ** Grant testuser2:
>  *** GRANT 'RWX' ON SYSTEM.CATALOG TO 'testuser2';
>  # testuser2:
>  ** Create Table and Indices:
>  *** CREATE TABLE test_schema2.table2 (id BIGINT not null primary key, date 
> Date, amount INTEGER);
>  *** CREATE INDEX test_index3 ON test_schema2.table2(date DESC);
>  *** CREATE INDEX test_index4 ON test_schema2.table2(date DESC) ASYNC;
>  ** Run IndexTool:
>  *** hbase org.apache.phoenix.mapreduce.index.IndexTool --schema test_schema2 
> --data-table table2 --index-table test_index4 --output-path /tmp/
>  *** {color:#ff0000}Error{color}: An exception occurred while performing the 
> indexing job: AccessDeniedException: 
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
> permissions for user 'testu...@root.comops.site' (action=create)
> Creating a dummy ASYNC index with admin or GRANT 'C' TO 'testuser2'; resolves 
> this error
>  * 
>  ** IndexTool Again:
>  *** {color:#ff0000}Error{color}: Caused by: 
> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
>  Permission denied: user=testuser2, access=WRITE, 
> inode="/user":hdfs:supergroup:drwxr-xr-x
>  # hdfs admin:
>  ** hdfs dfs -mkdir /user/testuser2
> hdfs dfs -chown testuser2 /user/testuser2
> hdfs dfs -chmod -R 770 /user/testuser2
>  # testuser2:
>  ** IndexTool Again
> Job sumbitted and run succesfully. TEST_INDEX4 is shown as "ACTIVE" in 
> phoenix.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to