Mehdi Salarkia created PHOENIX-5369:
---------------------------------------
Summary: BasePermissionsIT.testReadPermsOnTableIndexAndView test
uses an incorrect user for permission based operations
Key: PHOENIX-5369
URL: https://issues.apache.org/jira/browse/PHOENIX-5369
Project: Phoenix
Issue Type: Bug
Affects Versions: 5.0.0
Environment: {code:java}
<!-- Hadoop Versions -->
<hbase.version>2.1.1</hbase.version>
<hadoop.version>3.0.0</hadoop.version>
{code}
Reporter: Mehdi Salarkia
Assignee: Mehdi Salarkia
org.apache.phoenix.end2end.BasePermissionsIT uses a regular user for revoking
permission on another user while invoking user does not have the permission to
do that and as the result runs into the following exception.
{code:java}
2019-06-24 14:05:54,108 DEBUG [main]
org.apache.hadoop.hbase.client.RpcRetryingCallerImpl(131): Call exception,
tries=10, retries=16, started=38507 ms ago, cancelled=false,
msg=java.io.IOException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions (user=regularUser1_N000002, scope=hbase:acl,
family=l:regularUser2_N000003,
params=[table=hbase:acl,family=l:regularUser2_N000003],action=WRITE)
at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:185)
at
org.apache.hadoop.hbase.security.access.AccessController.revoke(AccessController.java:2118)
at
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.revoke(AccessControlProtos.java:10031)
at
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10192)
at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8203)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2423)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2405)
at
org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42010)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:413)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:130)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:324)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:304)
Caused by: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions (user=regularUser1_N000002, scope=hbase:acl,
family=l:regularUser2_N000003,
params=[table=hbase:acl,family=l:regularUser2_N000003],action=WRITE)
at
org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1552)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$26.call(RegionCoprocessorHost.java:990)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$26.call(RegionCoprocessorHost.java:987)
at
org.apache.hadoop.hbase.coprocessor.CoprocessorHost$ObserverOperationWithoutResult.callObserver(CoprocessorHost.java:540)
at
org.apache.hadoop.hbase.coprocessor.CoprocessorHost.execOperation(CoprocessorHost.java:614)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:987)
at
org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation.callPreMutateCPHook(HRegion.java:3709)
at
org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation.access$800(HRegion.java:3470)
at
org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation$1.visit(HRegion.java:3539)
at
org.apache.hadoop.hbase.regionserver.HRegion$BatchOperation.visitBatchOperations(HRegion.java:3084)
at
org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation.checkAndPrepare(HRegion.java:3529)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3968)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3902)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3893)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3907)
at org.apache.hadoop.hbase.regionserver.HRegion.doBatchMutate(HRegion.java:4234)
at org.apache.hadoop.hbase.regionserver.HRegion.delete(HRegion.java:2923)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.mutate(RSRpcServices.java:2853)
at
org.apache.hadoop.hbase.client.ClientServiceCallable.doMutate(ClientServiceCallable.java:55)
at org.apache.hadoop.hbase.client.HTable$2.rpcCall(HTable.java:498)
at org.apache.hadoop.hbase.client.HTable$2.rpcCall(HTable.java:493)
at
org.apache.hadoop.hbase.client.RegionServerCallable.call(RegionServerCallable.java:127)
at
org.apache.hadoop.hbase.client.RpcRetryingCallerImpl.callWithRetries(RpcRetryingCallerImpl.java:107)
at org.apache.hadoop.hbase.client.HTable.delete(HTable.java:503)
at
org.apache.hadoop.hbase.security.access.AccessControlLists.removePermissionRecord(AccessControlLists.java:262)
at
org.apache.hadoop.hbase.security.access.AccessControlLists.removeUserPermission(AccessControlLists.java:246)
at
org.apache.hadoop.hbase.security.access.AccessController$8.run(AccessController.java:2124)
at
org.apache.hadoop.hbase.security.access.AccessController$8.run(AccessController.java:2118)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
at org.apache.hadoop.security.SecurityUtil.doAsUser(SecurityUtil.java:514)
at org.apache.hadoop.security.SecurityUtil.doAsLoginUser(SecurityUtil.java:495)
at sun.reflect.GeneratedMethodAccessor112.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.hbase.util.Methods.call(Methods.java:40)
at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:183)
... 11 more
, details=row '' on table 'hbase:acl' at
region=hbase:acl,,1561410247401.d0b5e1997224dadc6c06b2a492b99a08.,
hostname=localhost,55921,1561410236573, seqNum=2,
exception=java.io.IOException: java.io.IOException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions (user=regularUser1_N000002, scope=hbase:acl,
family=l:regularUser2_N000003,
params=[table=hbase:acl,family=l:regularUser2_N000003],action=WRITE)
at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:185)
at
org.apache.hadoop.hbase.security.access.AccessController.revoke(AccessController.java:2118)
at
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.revoke(AccessControlProtos.java:10031)
at
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10192)
at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8203)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2423)
at
org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2405)
at
org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42010)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:413)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:130)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:324)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:304)
{code}
This seems to be caused by this HBase fix
https://issues.apache.org/jira/browse/HBASE-21385 which has changed the way
HBase Delete operation works.
On Hbase 2.1.0 and below this was working because the user behind the request
was null (because it was an RPC call, see
org.apache.hadoop.hbase.security.access.AccessController#getActiveUser) and
fell back to the system user which always had permission for any operations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
