[jira] [Commented] (PHOENIX-7466) [phoenix-connector] spark with authorization enabled cannot access phoenix tables without schema

Wed, 20 Nov 2024 05:53:05 -0800 


    [ 
https://issues.apache.org/jira/browse/PHOENIX-7466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17899770#comment-17899770
 ] 

guluo commented on PHOENIX-7466:
--------------------------------

Thank you for your response.

In our enviroment, Spark enabled authorization by Kyuubi Spark AuthZ Plugin.
And I found that the authorization service  get the database information by 
tableName, as follow.
https://github.com/apache/kyuubi/blob/master/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/PrivilegesBuilder.scala#L96L100

```scala
case u if u.nodeName == "UnresolvedRelation" =>
  val parts = invokeAs[String](u, "tableName").split("\\.")
  val db = quote(parts.init)
  val table = Table(None, Some(db), parts.last, None)
  privilegeObjects += PrivilegeObject(table)
```

So, for table with default schema, we cannot the database information by 
tableName in here.

> [phoenix-connector] spark with authorization enabled cannot access phoenix 
> tables without schema
> ------------------------------------------------------------------------------------------------
>
>                 Key: PHOENIX-7466
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-7466
>             Project: Phoenix
>          Issue Type: Bug
>          Components: connectors
>            Reporter: guluo
>            Priority: Major
>
> When spark enabled authorization, Spark cannot access phoenix tables without 
> schema.
> Assuming we use userA to operate Spark, and userA has access to the default 
> namespace on hbase
> When Spark enabled authorization by Kyuubi Spark AuthZ Plugin, and spark 
> access phoenix tables by the following way.
> df = spark.sqlContext.read.format("phoenix")
>   .options(Map("table" -> "Table1", "zkUrl" -> "phoenix-server:2181")).load;
> This phoenix table doesnot specify schema, So the authorization service 
> cannot get the database name of this table (database is null), So it think 
> that we are accessing an unauthorized database and denies access.
> I'm not sure if it must be a problem with phoenix-connector.
> But my solution is as follows.
> When the accessed Phoenix table does not have a schema, I convert it to 
> default.table in PhoenixTable.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to