This is an automated email from the ASF dual-hosted git repository.
chinmayskulkarni pushed a commit to branch 4.x-HBase-1.5
in repository https://gitbox.apache.org/repos/asf/phoenix.git
The following commit(s) were added to refs/heads/4.x-HBase-1.5 by this push:
new 2d8096f PHOENIX-5374: Incorrect exception thrown in some cases when
client does not have Exec permissions on SYSTEM:CATALOG
2d8096f is described below
commit 2d8096ffb30d6cd0fbc8c6355d1c1617e8f0f9ac
Author: Chinmay Kulkarni <chinmayskulka...@gmail.com>
AuthorDate: Tue Jun 25 22:36:23 2019 -0700
PHOENIX-5374: Incorrect exception thrown in some cases when client does not
have Exec permissions on SYSTEM:CATALOG
---
.../phoenix/end2end/PermissionNSEnabledIT.java | 57 ++++++++++++++++++++++
.../phoenix/query/ConnectionQueryServicesImpl.java | 10 ++--
2 files changed, 64 insertions(+), 3 deletions(-)
diff --git
a/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java
b/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java
index 22fc297..30f3a08 100644
---
a/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java
+++
b/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java
@@ -17,13 +17,23 @@
*/
package org.apache.phoenix.end2end;
+import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.access.AccessControlClient;
import org.apache.hadoop.hbase.security.access.Permission;
+import org.apache.phoenix.exception.SQLExceptionCode;
+import org.apache.phoenix.util.SchemaUtil;
import org.junit.BeforeClass;
import org.junit.Test;
import java.security.PrivilegedExceptionAction;
+import java.sql.Connection;
+import java.sql.SQLException;
+
+import static
org.apache.phoenix.jdbc.PhoenixDatabaseMetaData.SYSTEM_CATALOG_TABLE;
+import static
org.apache.phoenix.jdbc.PhoenixDatabaseMetaData.SYSTEM_SCHEMA_NAME;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
public class PermissionNSEnabledIT extends BasePermissionsIT {
@@ -67,4 +77,51 @@ public class PermissionNSEnabledIT extends BasePermissionsIT
{
revokeAll();
}
}
+
+ @Test
+ public void testConnectionCreationFailsWhenNoExecPermsOnSystemCatalog()
throws Throwable {
+ try {
+ grantSystemTableAccess();
+ superUser1.runAs(new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ TableName systemCatalogTableName =
+
TableName.valueOf(SchemaUtil.getPhysicalHBaseTableName(SYSTEM_SCHEMA_NAME,
+ SYSTEM_CATALOG_TABLE, true).getString());
+ try {
+ // Revoke Exec permissions for SYSTEM CATALOG for the
unprivileged user
+ AccessControlClient
+ .revoke(getUtility().getConnection(),
systemCatalogTableName,
+ unprivilegedUser.getShortName(), null,
null, Permission.Action.EXEC);
+ } catch (Throwable t) {
+ if (t instanceof Exception) {
+ throw (Exception) t;
+ } else {
+ throw new Exception(t);
+ }
+ }
+ return null;
+ }
+ });
+
+ unprivilegedUser.runAs(new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ try (Connection ignored = getConnection()) {
+ // We expect this to throw a wrapped
AccessDeniedException.
+ fail("Should have failed with a wrapped
AccessDeniedException");
+ } catch (Throwable ex) {
+ assertTrue("Should not get an incompatible jars
exception",
+ ex instanceof SQLException &&
((SQLException)ex).getErrorCode() !=
+
SQLExceptionCode.INCOMPATIBLE_CLIENT_SERVER_JAR.getErrorCode());
+ assertTrue("Expected a wrapped AccessDeniedException",
+ ex.getCause() instanceof
AccessDeniedException);
+ }
+ return null;
+ }
+ });
+ } finally {
+ revokeAll();
+ }
+ }
}
diff --git
a/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java
b/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java
index bd2b975..3a44446 100644
---
a/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java
+++
b/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java
@@ -1358,8 +1358,12 @@ public class ConnectionQueryServicesImpl extends
DelegateQueryServices implement
return MetaDataUtil.areClientAndServerCompatible(serverVersion);
}
- private void checkClientServerCompatibility(byte[] metaTable) throws
SQLException {
- StringBuilder buf = new StringBuilder("Newer Phoenix clients can't
communicate with older Phoenix servers. The following servers require an
updated " + QueryConstants.DEFAULT_COPROCESS_JAR_NAME + " to be put in the
classpath of HBase: ");
+ private void checkClientServerCompatibility(byte[] metaTable) throws
SQLException,
+ AccessDeniedException {
+ StringBuilder buf = new StringBuilder("Newer Phoenix clients can't
communicate with older "
+ + "Phoenix servers. The following servers require an updated "
+ + QueryConstants.DEFAULT_COPROCESS_JAR_NAME
+ + " to be put in the classpath of HBase: ");
boolean isIncompatible = false;
int minHBaseVersion = Integer.MAX_VALUE;
boolean isTableNamespaceMappingEnabled = false;
@@ -1428,7 +1432,7 @@ public class ConnectionQueryServicesImpl extends
DelegateQueryServices implement
+ " is consistent on client and server.")
.build().buildException(); }
lowestClusterHBaseVersion = minHBaseVersion;
- } catch (SQLException e) {
+ } catch (SQLException | AccessDeniedException e) {
throw e;
} catch (Throwable t) {
// This is the case if the "phoenix.jar" is not on the classpath
of HBase on the region server
