[jira] [Commented] (PHOENIX-3756) Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix

Tue, 04 Apr 2017 10:53:02 -0700 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-3756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15955508#comment-15955508
 ] 

Ankit Singhal commented on PHOENIX-3756:
----------------------------------------

bq. The problem here was the case where the system tables exist and are 
properly configured, the client fails to connect as they receive the same 
AccessDeniedException trying to access the NamespaceDescriptor. I was intending 
to just ignore the whole issue of non-upgrade system tables.

Yes, That's why you just need to catch the exception thrown by 
ensureNamespaceCreated and ignore it. if there are tables which are not 
upgraded then flow will continue to upgrade them otherwise return normally. And 
there is no need to check SYSTEM namespace exists or not. because the user will 
get a proper exception if meta table doesn't exist and the code tries to create 
it in the non-existing namespace.



> Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix
> ------------------------------------------------------------------------
>
>                 Key: PHOENIX-3756
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3756
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.11.0
>
>         Attachments: PHOENIX-3756.001.patch, PHOENIX-3756.002.patch, 
> PHOENIX-3756.003.patch, PHOENIX-3756.004.patch, PHOENIX-3756.005.patch
>
>
> Follow-on from PHOENIX-3652:
> The fix provided in PHOENIX-3652 addressed the default situation where users 
> would need ADMIN on the default HBase namespace. However, when 
> {{phoenix.schema.isNamespaceMappingEnabled=true}} and Phoenix creates its 
> system tables in the {{SYSTEM}} HBase namespace, unprivileged users (those 
> lacking ADMIN on {{SYSTEM}}) still cannot connect to Phoenix.
> The root-cause is essentially the same: the code tries to fetch the 
> {{NamespaceDescriptor}} for the {{SYSTEM}} namespace which requires the ADMIN 
> permission.
> https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to