[jira] [Commented] (PHOENIX-5274) ConnectionQueryServiceImpl#ensureNamespaceCreated and ensureTableCreated should use HBase APIs that do not require ADMIN permissions for existence checks

Tue, 21 Jun 2022 13:12:04 -0700 


    [ 
https://issues.apache.org/jira/browse/PHOENIX-5274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557093#comment-17557093
 ] 

ASF GitHub Bot commented on PHOENIX-5274:
-----------------------------------------

gjacoby126 commented on PR #1456:
URL: https://github.com/apache/phoenix/pull/1456#issuecomment-1162287223

   Looks like the existing 5.x code wasn't calling the preCreateSchema hook 
properly, so the permission validation check wasn't happening. This behavior 
was hidden because the restrictive HBase API the code used to rely effectively 
ran an even more restrictive check. Removing the HBase check revealed the 
existing security hole. I've fixed the createSchema logic so that it matches 
the dropSchema logic and the test passes now. 




> ConnectionQueryServiceImpl#ensureNamespaceCreated and ensureTableCreated 
> should use HBase APIs that do not require ADMIN permissions for existence 
> checks
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: PHOENIX-5274
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-5274
>             Project: Phoenix
>          Issue Type: Improvement
>    Affects Versions: 5.0.0, 4.15.0, 4.14.2
>            Reporter: Chinmay Kulkarni
>            Assignee: Geoffrey Jacoby
>            Priority: Major
>             Fix For: 5.2.0
>
>         Attachments: PHOENIX-5274.4.x-HBase-1.5.v1.patch, 
> PHOENIX-5274.4.x-HBase-1.5.v2.patch, PHOENIX-5274.4.x-HBase-1.5.v3.patch
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> [HBASE-22377|https://issues.apache.org/jira/browse/HBASE-22377] will 
> introduce a new API that does not require ADMIN permissions to check the 
> existence of a namespace.
> Currently, CQSI#ensureNamespaceCreated calls 
> HBaseAdmin#getNamespaceDescriptor which eventually on the server causes a 
> call to AccessController#preGetNamespaceDescriptor. This tries to acquire 
> ADMIN permissions on the namespace. We should ideally use the new API 
> provided by HBASE-22377 which does not require the phoenix client to get 
> ADMIN permissions on the namespace. We should acquire ADMIN permissions only 
> in case we need to create the namespace if it doesn't already exist.
> Similarly, CQSI#ensureTableCreated should first check the existence of a 
> table before trying to do HBaseAdmin#getTableDescriptor since this requires 
> CREATE and ADMIN permissions.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to