[ https://issues.apache.org/jira/browse/PHOENIX-5369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mehdi Salarkia updated PHOENIX-5369: ------------------------------------ Environment: {code:java} <hbase.version>2.1.1</hbase.version> {code} was: {code:java} <!-- Hadoop Versions --> <hbase.version>2.1.1</hbase.version> <hadoop.version>3.0.0</hadoop.version> {code} > BasePermissionsIT.testReadPermsOnTableIndexAndView test uses an incorrect > user for permission based operations > -------------------------------------------------------------------------------------------------------------- > > Key: PHOENIX-5369 > URL: https://issues.apache.org/jira/browse/PHOENIX-5369 > Project: Phoenix > Issue Type: Bug > Affects Versions: 5.0.0 > Environment: {code:java} > <hbase.version>2.1.1</hbase.version> > {code} > Reporter: Mehdi Salarkia > Assignee: Mehdi Salarkia > Priority: Minor > > org.apache.phoenix.end2end.BasePermissionsIT uses a regular user for revoking > permission on another user while invoking user does not have the permission > to do that and as the result runs into the following exception. > {code:java} > 2019-06-24 14:05:54,108 DEBUG [main] > org.apache.hadoop.hbase.client.RpcRetryingCallerImpl(131): Call exception, > tries=10, retries=16, started=38507 ms ago, cancelled=false, > msg=java.io.IOException: > org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient > permissions (user=regularUser1_N000002, scope=hbase:acl, > family=l:regularUser2_N000003, > params=[table=hbase:acl,family=l:regularUser2_N000003],action=WRITE) > at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:185) > at > org.apache.hadoop.hbase.security.access.AccessController.revoke(AccessController.java:2118) > at > org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.revoke(AccessControlProtos.java:10031) > at > org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10192) > at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8203) > at > org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2423) > at > org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2405) > at > org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42010) > at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:413) > at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:130) > at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:324) > at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:304) > Caused by: org.apache.hadoop.hbase.security.AccessDeniedException: > Insufficient permissions (user=regularUser1_N000002, scope=hbase:acl, > family=l:regularUser2_N000003, > params=[table=hbase:acl,family=l:regularUser2_N000003],action=WRITE) > at > org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1552) > at > org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$26.call(RegionCoprocessorHost.java:990) > at > org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$26.call(RegionCoprocessorHost.java:987) > at > org.apache.hadoop.hbase.coprocessor.CoprocessorHost$ObserverOperationWithoutResult.callObserver(CoprocessorHost.java:540) > at > org.apache.hadoop.hbase.coprocessor.CoprocessorHost.execOperation(CoprocessorHost.java:614) > at > org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:987) > at > org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation.callPreMutateCPHook(HRegion.java:3709) > at > org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation.access$800(HRegion.java:3470) > at > org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation$1.visit(HRegion.java:3539) > at > org.apache.hadoop.hbase.regionserver.HRegion$BatchOperation.visitBatchOperations(HRegion.java:3084) > at > org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation.checkAndPrepare(HRegion.java:3529) > at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3968) > at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3902) > at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3893) > at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3907) > at > org.apache.hadoop.hbase.regionserver.HRegion.doBatchMutate(HRegion.java:4234) > at org.apache.hadoop.hbase.regionserver.HRegion.delete(HRegion.java:2923) > at > org.apache.hadoop.hbase.regionserver.RSRpcServices.mutate(RSRpcServices.java:2853) > at > org.apache.hadoop.hbase.client.ClientServiceCallable.doMutate(ClientServiceCallable.java:55) > at org.apache.hadoop.hbase.client.HTable$2.rpcCall(HTable.java:498) > at org.apache.hadoop.hbase.client.HTable$2.rpcCall(HTable.java:493) > at > org.apache.hadoop.hbase.client.RegionServerCallable.call(RegionServerCallable.java:127) > at > org.apache.hadoop.hbase.client.RpcRetryingCallerImpl.callWithRetries(RpcRetryingCallerImpl.java:107) > at org.apache.hadoop.hbase.client.HTable.delete(HTable.java:503) > at > org.apache.hadoop.hbase.security.access.AccessControlLists.removePermissionRecord(AccessControlLists.java:262) > at > org.apache.hadoop.hbase.security.access.AccessControlLists.removeUserPermission(AccessControlLists.java:246) > at > org.apache.hadoop.hbase.security.access.AccessController$8.run(AccessController.java:2124) > at > org.apache.hadoop.hbase.security.access.AccessController$8.run(AccessController.java:2118) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962) > at org.apache.hadoop.security.SecurityUtil.doAsUser(SecurityUtil.java:514) > at > org.apache.hadoop.security.SecurityUtil.doAsLoginUser(SecurityUtil.java:495) > at sun.reflect.GeneratedMethodAccessor112.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.hadoop.hbase.util.Methods.call(Methods.java:40) > at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:183) > ... 11 more > , details=row '' on table 'hbase:acl' at > region=hbase:acl,,1561410247401.d0b5e1997224dadc6c06b2a492b99a08., > hostname=localhost,55921,1561410236573, seqNum=2, > exception=java.io.IOException: java.io.IOException: > org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient > permissions (user=regularUser1_N000002, scope=hbase:acl, > family=l:regularUser2_N000003, > params=[table=hbase:acl,family=l:regularUser2_N000003],action=WRITE) > at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:185) > at > org.apache.hadoop.hbase.security.access.AccessController.revoke(AccessController.java:2118) > at > org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.revoke(AccessControlProtos.java:10031) > at > org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10192) > at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8203) > at > org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2423) > at > org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2405) > at > org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42010) > at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:413) > at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:130) > at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:324) > at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:304) > {code} > This seems to be caused by this HBase fix > https://issues.apache.org/jira/browse/HBASE-21385 which has changed the way > HBase Delete operation works. > On Hbase 2.1.0 and below this was working because the user behind the request > was null (because it was an RPC call, see > org.apache.hadoop.hbase.security.access.AccessController#getActiveUser) and > fell back to the system user which always had permission for any operations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)