[
https://issues.apache.org/jira/browse/PHOENIX-5369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mehdi Salarkia updated PHOENIX-5369:
------------------------------------
Environment:
{code:java}
<hbase.version>2.1.1</hbase.version>
{code}
was:
{code:java}
<!-- Hadoop Versions -->
<hbase.version>2.1.1</hbase.version>
<hadoop.version>3.0.0</hadoop.version>
{code}
> BasePermissionsIT.testReadPermsOnTableIndexAndView test uses an incorrect
> user for permission based operations
> --------------------------------------------------------------------------------------------------------------
>
> Key: PHOENIX-5369
> URL: https://issues.apache.org/jira/browse/PHOENIX-5369
> Project: Phoenix
> Issue Type: Bug
> Affects Versions: 5.0.0
> Environment: {code:java}
> <hbase.version>2.1.1</hbase.version>
> {code}
> Reporter: Mehdi Salarkia
> Assignee: Mehdi Salarkia
> Priority: Minor
>
> org.apache.phoenix.end2end.BasePermissionsIT uses a regular user for revoking
> permission on another user while invoking user does not have the permission
> to do that and as the result runs into the following exception.
> {code:java}
> 2019-06-24 14:05:54,108 DEBUG [main]
> org.apache.hadoop.hbase.client.RpcRetryingCallerImpl(131): Call exception,
> tries=10, retries=16, started=38507 ms ago, cancelled=false,
> msg=java.io.IOException:
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions (user=regularUser1_N000002, scope=hbase:acl,
> family=l:regularUser2_N000003,
> params=[table=hbase:acl,family=l:regularUser2_N000003],action=WRITE)
> at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:185)
> at
> org.apache.hadoop.hbase.security.access.AccessController.revoke(AccessController.java:2118)
> at
> org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.revoke(AccessControlProtos.java:10031)
> at
> org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10192)
> at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8203)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2423)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2405)
> at
> org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42010)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:413)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:130)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:324)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:304)
> Caused by: org.apache.hadoop.hbase.security.AccessDeniedException:
> Insufficient permissions (user=regularUser1_N000002, scope=hbase:acl,
> family=l:regularUser2_N000003,
> params=[table=hbase:acl,family=l:regularUser2_N000003],action=WRITE)
> at
> org.apache.hadoop.hbase.security.access.AccessController.preDelete(AccessController.java:1552)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$26.call(RegionCoprocessorHost.java:990)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$26.call(RegionCoprocessorHost.java:987)
> at
> org.apache.hadoop.hbase.coprocessor.CoprocessorHost$ObserverOperationWithoutResult.callObserver(CoprocessorHost.java:540)
> at
> org.apache.hadoop.hbase.coprocessor.CoprocessorHost.execOperation(CoprocessorHost.java:614)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:987)
> at
> org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation.callPreMutateCPHook(HRegion.java:3709)
> at
> org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation.access$800(HRegion.java:3470)
> at
> org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation$1.visit(HRegion.java:3539)
> at
> org.apache.hadoop.hbase.regionserver.HRegion$BatchOperation.visitBatchOperations(HRegion.java:3084)
> at
> org.apache.hadoop.hbase.regionserver.HRegion$MutationBatchOperation.checkAndPrepare(HRegion.java:3529)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3968)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3902)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3893)
> at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:3907)
> at
> org.apache.hadoop.hbase.regionserver.HRegion.doBatchMutate(HRegion.java:4234)
> at org.apache.hadoop.hbase.regionserver.HRegion.delete(HRegion.java:2923)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.mutate(RSRpcServices.java:2853)
> at
> org.apache.hadoop.hbase.client.ClientServiceCallable.doMutate(ClientServiceCallable.java:55)
> at org.apache.hadoop.hbase.client.HTable$2.rpcCall(HTable.java:498)
> at org.apache.hadoop.hbase.client.HTable$2.rpcCall(HTable.java:493)
> at
> org.apache.hadoop.hbase.client.RegionServerCallable.call(RegionServerCallable.java:127)
> at
> org.apache.hadoop.hbase.client.RpcRetryingCallerImpl.callWithRetries(RpcRetryingCallerImpl.java:107)
> at org.apache.hadoop.hbase.client.HTable.delete(HTable.java:503)
> at
> org.apache.hadoop.hbase.security.access.AccessControlLists.removePermissionRecord(AccessControlLists.java:262)
> at
> org.apache.hadoop.hbase.security.access.AccessControlLists.removeUserPermission(AccessControlLists.java:246)
> at
> org.apache.hadoop.hbase.security.access.AccessController$8.run(AccessController.java:2124)
> at
> org.apache.hadoop.hbase.security.access.AccessController$8.run(AccessController.java:2118)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
> at org.apache.hadoop.security.SecurityUtil.doAsUser(SecurityUtil.java:514)
> at
> org.apache.hadoop.security.SecurityUtil.doAsLoginUser(SecurityUtil.java:495)
> at sun.reflect.GeneratedMethodAccessor112.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.hadoop.hbase.util.Methods.call(Methods.java:40)
> at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:183)
> ... 11 more
> , details=row '' on table 'hbase:acl' at
> region=hbase:acl,,1561410247401.d0b5e1997224dadc6c06b2a492b99a08.,
> hostname=localhost,55921,1561410236573, seqNum=2,
> exception=java.io.IOException: java.io.IOException:
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions (user=regularUser1_N000002, scope=hbase:acl,
> family=l:regularUser2_N000003,
> params=[table=hbase:acl,family=l:regularUser2_N000003],action=WRITE)
> at org.apache.hadoop.hbase.security.User.runAsLoginUser(User.java:185)
> at
> org.apache.hadoop.hbase.security.access.AccessController.revoke(AccessController.java:2118)
> at
> org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.revoke(AccessControlProtos.java:10031)
> at
> org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10192)
> at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8203)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2423)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2405)
> at
> org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42010)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:413)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:130)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:324)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:304)
> {code}
> This seems to be caused by this HBase fix
> https://issues.apache.org/jira/browse/HBASE-21385 which has changed the way
> HBase Delete operation works.
> On Hbase 2.1.0 and below this was working because the user behind the request
> was null (because it was an RPC call, see
> org.apache.hadoop.hbase.security.access.AccessController#getActiveUser) and
> fell back to the system user which always had permission for any operations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
