[
https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Josh Elser updated PHOENIX-3756:
--------------------------------
Attachment: PHOENIX-3756.005.patch
.005 Switched the {{e.getCause() instanceof AccessDeniedException}} to
{{!Iterables.isEmpty(Iterables.filter(Throwables.getCausalChain(e),
AccessDeniedException.class))}}. The root cause was actually a
RemoteWithExtrasException, not the intended AccessDeniedException.
> Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
> ------------------------------------------------------------------------
>
> Key: PHOENIX-3756
> URL: https://issues.apache.org/jira/browse/PHOENIX-3756
> Project: Phoenix
> Issue Type: Bug
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 4.11.0
>
> Attachments: PHOENIX-3756.001.patch, PHOENIX-3756.002.patch,
> PHOENIX-3756.003.patch, PHOENIX-3756.004.patch, PHOENIX-3756.005.patch
>
>
> Follow-on from PHOENIX-3652:
> The fix provided in PHOENIX-3652 addressed the default situation where users
> would need ADMIN on the default HBase namespace. However, when
> {{phoenix.schema.isNamespaceMappingEnabled=true}} and Phoenix creates its
> system tables in the {{SYSTEM}} HBase namespace, unprivileged users (those
> lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix.
> The root-cause is essentially the same: the code tries to fetch the
> {{NamespaceDescriptor}} for the {{SYSTEM}} namespace which requires the ADMIN
> permission.
> https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
