This is an automated email from the ASF dual-hosted git repository. chinmayskulkarni pushed a commit to branch 4.x-HBase-1.4 in repository https://gitbox.apache.org/repos/asf/phoenix.git
The following commit(s) were added to refs/heads/4.x-HBase-1.4 by this push: new 2e45dce PHOENIX-5374: Incorrect exception thrown in some cases when client does not have Exec permissions on SYSTEM:CATALOG 2e45dce is described below commit 2e45dce56e3d9236b537ac3bb11f303804e496fb Author: Chinmay Kulkarni <chinmayskulka...@gmail.com> AuthorDate: Tue Jun 25 22:36:23 2019 -0700 PHOENIX-5374: Incorrect exception thrown in some cases when client does not have Exec permissions on SYSTEM:CATALOG --- .../phoenix/end2end/PermissionNSEnabledIT.java | 57 ++++++++++++++++++++++ .../phoenix/query/ConnectionQueryServicesImpl.java | 10 ++-- 2 files changed, 64 insertions(+), 3 deletions(-) diff --git a/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java b/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java index 22fc297..30f3a08 100644 --- a/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java +++ b/phoenix-core/src/it/java/org/apache/phoenix/end2end/PermissionNSEnabledIT.java @@ -17,13 +17,23 @@ */ package org.apache.phoenix.end2end; +import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.security.AccessDeniedException; import org.apache.hadoop.hbase.security.access.AccessControlClient; import org.apache.hadoop.hbase.security.access.Permission; +import org.apache.phoenix.exception.SQLExceptionCode; +import org.apache.phoenix.util.SchemaUtil; import org.junit.BeforeClass; import org.junit.Test; import java.security.PrivilegedExceptionAction; +import java.sql.Connection; +import java.sql.SQLException; + +import static org.apache.phoenix.jdbc.PhoenixDatabaseMetaData.SYSTEM_CATALOG_TABLE; +import static org.apache.phoenix.jdbc.PhoenixDatabaseMetaData.SYSTEM_SCHEMA_NAME; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; public class PermissionNSEnabledIT extends BasePermissionsIT { @@ -67,4 +77,51 @@ public class PermissionNSEnabledIT extends BasePermissionsIT { revokeAll(); } } + + @Test + public void testConnectionCreationFailsWhenNoExecPermsOnSystemCatalog() throws Throwable { + try { + grantSystemTableAccess(); + superUser1.runAs(new PrivilegedExceptionAction<Void>() { + @Override + public Void run() throws Exception { + TableName systemCatalogTableName = + TableName.valueOf(SchemaUtil.getPhysicalHBaseTableName(SYSTEM_SCHEMA_NAME, + SYSTEM_CATALOG_TABLE, true).getString()); + try { + // Revoke Exec permissions for SYSTEM CATALOG for the unprivileged user + AccessControlClient + .revoke(getUtility().getConnection(), systemCatalogTableName, + unprivilegedUser.getShortName(), null, null, Permission.Action.EXEC); + } catch (Throwable t) { + if (t instanceof Exception) { + throw (Exception) t; + } else { + throw new Exception(t); + } + } + return null; + } + }); + + unprivilegedUser.runAs(new PrivilegedExceptionAction<Void>() { + @Override + public Void run() throws Exception { + try (Connection ignored = getConnection()) { + // We expect this to throw a wrapped AccessDeniedException. + fail("Should have failed with a wrapped AccessDeniedException"); + } catch (Throwable ex) { + assertTrue("Should not get an incompatible jars exception", + ex instanceof SQLException && ((SQLException)ex).getErrorCode() != + SQLExceptionCode.INCOMPATIBLE_CLIENT_SERVER_JAR.getErrorCode()); + assertTrue("Expected a wrapped AccessDeniedException", + ex.getCause() instanceof AccessDeniedException); + } + return null; + } + }); + } finally { + revokeAll(); + } + } } diff --git a/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java b/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java index bd2b975..3a44446 100644 --- a/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java +++ b/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java @@ -1358,8 +1358,12 @@ public class ConnectionQueryServicesImpl extends DelegateQueryServices implement return MetaDataUtil.areClientAndServerCompatible(serverVersion); } - private void checkClientServerCompatibility(byte[] metaTable) throws SQLException { - StringBuilder buf = new StringBuilder("Newer Phoenix clients can't communicate with older Phoenix servers. The following servers require an updated " + QueryConstants.DEFAULT_COPROCESS_JAR_NAME + " to be put in the classpath of HBase: "); + private void checkClientServerCompatibility(byte[] metaTable) throws SQLException, + AccessDeniedException { + StringBuilder buf = new StringBuilder("Newer Phoenix clients can't communicate with older " + + "Phoenix servers. The following servers require an updated " + + QueryConstants.DEFAULT_COPROCESS_JAR_NAME + + " to be put in the classpath of HBase: "); boolean isIncompatible = false; int minHBaseVersion = Integer.MAX_VALUE; boolean isTableNamespaceMappingEnabled = false; @@ -1428,7 +1432,7 @@ public class ConnectionQueryServicesImpl extends DelegateQueryServices implement + " is consistent on client and server.") .build().buildException(); } lowestClusterHBaseVersion = minHBaseVersion; - } catch (SQLException e) { + } catch (SQLException | AccessDeniedException e) { throw e; } catch (Throwable t) { // This is the case if the "phoenix.jar" is not on the classpath of HBase on the region server