[
https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15955446#comment-15955446
]
Ankit Singhal commented on PHOENIX-3756:
----------------------------------------
Thanks [~elserj] for the update.
* Can you also add this compatibility check when you are caching
accessDeniedException for meta table so that we still be doing compatibility
checks (for version compatibility and consistent namespace property) and end a
flow if SYSTEM.CATALOG table doesn't exists.
{code}
checkClientServerCompatibility(
SchemaUtil.getPhysicalName(SYSTEM_CATALOG_NAME_BYTES,
this.getProps()).getName());
{code}
* we should not be returning early here, Ignore the exception and let
"(tableNames.size() == 0) { return true; }" to take care the flow.
NamespaceNotExist Exception will be thrown if non upgraded system table exists
otherwise client can fail in later stage while accessing namespace mapped
system tables.
{code}
+ // Namespace-mapping is enabled at this point.
+ try {
+ ensureNamespaceCreated(QueryConstants.SYSTEM_SCHEMA_NAME);
+ } catch (PhoenixIOException e) {
+ // User might not be privileged to access the Phoenix system
tables
+ // in the HBase "SYSTEM" namespace (lacking 'ADMIN'). Let them
proceed without
+ // verifying the system table configuration.
+ logger.warn("Could not access system namespace, assuming it
exists");
+ return false;
+ }
{code}
** you may need to move code which removes SYSTEM.MUTEX table name from tables
before tableNames.size() condition as this may be needed until PHOENIX-3757 is
fixed.
{code}
tableNames.remove(TableName.valueOf(PhoenixDatabaseMetaData.SYSTEM_MUTEX_NAME));
{code}
* And after above, we can remove this check.
{code}
if (!ensureSystemTablesUpgraded(ConnectionQueryServicesImpl.this.getProps())) {
+ logger.debug("Failed to upgrade system
tables, assuming they are properly configured.");
+ success = true;
+ return null;
+ }
{code}
> Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
> ------------------------------------------------------------------------
>
> Key: PHOENIX-3756
> URL: https://issues.apache.org/jira/browse/PHOENIX-3756
> Project: Phoenix
> Issue Type: Bug
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 4.11.0
>
> Attachments: PHOENIX-3756.001.patch, PHOENIX-3756.002.patch,
> PHOENIX-3756.003.patch, PHOENIX-3756.004.patch, PHOENIX-3756.005.patch
>
>
> Follow-on from PHOENIX-3652:
> The fix provided in PHOENIX-3652 addressed the default situation where users
> would need ADMIN on the default HBase namespace. However, when
> {{phoenix.schema.isNamespaceMappingEnabled=true}} and Phoenix creates its
> system tables in the {{SYSTEM}} HBase namespace, unprivileged users (those
> lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix.
> The root-cause is essentially the same: the code tries to fetch the
> {{NamespaceDescriptor}} for the {{SYSTEM}} namespace which requires the ADMIN
> permission.
> https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
