[jira] [Commented] (PHOENIX-5269) PhoenixAccessController should use AccessChecker instead of AccessControlClient for permission checks

Mon, 10 Jun 2019 08:25:27 -0700 


    [ 
https://issues.apache.org/jira/browse/PHOENIX-5269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16860076#comment-16860076
 ] 

Kiran Kumar Maturi commented on PHOENIX-5269:
---------------------------------------------

[~lhofhansl] [~tdsilva] sorry for the delay in the patch for the master. I am 
working on fixing the following test failure when i run the PermissionsCacheIT.

BasePermissionsIT#testAutomaticGrantWithIndexAndView() . I have uploaded the 
master v1 patch.
{code:java}
java.lang.AssertionError: Expected exception was not thrown for user 
'unprivilegedUser_N000007'
at org.junit.Assert.fail(Assert.java:88)
at 
org.apache.phoenix.end2end.BasePermissionsIT.verifyDenied(BasePermissionsIT.java:726)
at 
org.apache.phoenix.end2end.BasePermissionsIT.verifyDenied(BasePermissionsIT.java:717)
at 
org.apache.phoenix.end2end.BasePermissionsIT.testAutomaticGrantWithIndexAndView(BasePermissionsIT.java:1164)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at 
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at 
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at 
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at 
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
at 
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)
at org.junit.rules.RunRules.evaluate(RunRules.java:20)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at 
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:86)
at 
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at 
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:538)
at 
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:760)
at 
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:460)
at 
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:206)

{code}

> PhoenixAccessController should use AccessChecker instead of 
> AccessControlClient for permission checks
> -----------------------------------------------------------------------------------------------------
>
>                 Key: PHOENIX-5269
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-5269
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.14.1, 4.14.2
>            Reporter: Andrew Purtell
>            Assignee: Kiran Kumar Maturi
>            Priority: Critical
>             Fix For: 4.15.0, 4.14.2
>
>         Attachments: PHOENIX-5269-4.14-HBase-1.4.patch, 
> PHOENIX-5269-4.14-HBase-1.4.v1.patch, PHOENIX-5269-4.14-HBase-1.4.v2.patch, 
> PHOENIX-5269.4.14-HBase-1.4.v3.patch, PHOENIX-5269.4.14-HBase-1.4.v4.patch, 
> PHOENIX-5269.4.x-HBase-1.4.v1.patch, PHOENIX-5269.4.x-HBase-1.5.v1.patch
>
>
> PhoenixAccessController should use AccessChecker instead of 
> AccessControlClient for permission checks. 
> In HBase, every RegionServer's AccessController maintains a local cache of 
> permissions. At startup time they are initialized from the ACL table. 
> Whenever the ACL table is changed (via grant or revoke) the AC on the ACL 
> table "broadcasts" the change via zookeeper, which updates the cache. This is 
> performed and managed by TableAuthManager but is exposed as API by 
> AccessChecker. AccessChecker is the result of a refactor that was committed 
> as far back as branch-1.4 I believe.
> Phoenix implements its own access controller and is using the client API 
> AccessControlClient instead. AccessControlClient does not cache nor use the 
> ZK-based cache update mechanism, because it is designed for client side use.
> The use of AccessControlClient instead of AccessChecker is not scalable. 
> Every permissions check will trigger a remote RPC to the ACL table, which is 
> generally going to be a single region hosted on a single RegionServer. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to