[ https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15949614#comment-15949614 ]
Josh Elser commented on PHOENIX-3756: ------------------------------------- Turns out that when [~sergey.soldatov] was looking at PHOENIX-3652 initially, he mocked up a fix by catching the {{AccessDeniedException}} being thrown from the server and essentially breaking out of the system table check. This does prevent the fail-fast case when the system tables don't exist, but we don't really have a way around this for unprivileged users. Will attach the patch I got working locally (again, really Sergey's work!) shortly. > Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix > ------------------------------------------------------------------------ > > Key: PHOENIX-3756 > URL: https://issues.apache.org/jira/browse/PHOENIX-3756 > Project: Phoenix > Issue Type: Bug > Reporter: Josh Elser > Assignee: Josh Elser > Fix For: 4.11.0 > > > Follow-on from PHOENIX-3652: > The fix provided in PHOENIX-3652 addressed the default situation where users > would need ADMIN on the default HBase namespace. However, when > {{phoenix.schema.isNamespaceMappingEnabled=true}} and Phoenix creates its > system tables in the {{SYSTEM}} HBase namespace, unprivileged users (those > lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix. > The root-cause is essentially the same: the code tries to fetch the > {{NamespaceDescriptor}} for the {{SYSTEM}} namespace which requires the ADMIN > permission. > https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037 -- This message was sent by Atlassian JIRA (v6.3.15#6346)