Accumulo
  1. Accumulo
  2. ACCUMULO-378 Multi data center replication
  3. ACCUMULO-2705

Don't try to assign permissions to !SYSTEM user when creating a table

    Details

    • Type: Sub-task Sub-task
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.7.0
    • Component/s: tserver
    • Labels:
      None

      Description

      When creating a table to use for storing replication "bookkeeping", I found that the internal !SYSTEM user doesn't have the ability to create a table. Should it?

      Without this, the user would have to create/configure a custom local user account with proper credentials to read/write the replication table as well as persist this in accumulo-site.xml. My first impression is that this is excessive waste because the usage is purely within the tablet server already – need to try to figure out if there's a reason that !SYSTEM shouldn't be allowed to create tables.

        Activity

        Hide
        Josh Elser added a comment -

        Actually, this may be as simple as changing the CreateTable FATE op to not try to grant permissions on the table being created when the user who initiated the creation is !SYSTEM

        Turns out it was. I don't see any issues with that approach either, so this is the best of both worlds IMO.

        Show
        Josh Elser added a comment - Actually, this may be as simple as changing the CreateTable FATE op to not try to grant permissions on the table being created when the user who initiated the creation is !SYSTEM Turns out it was. I don't see any issues with that approach either, so this is the best of both worlds IMO.
        Hide
        Josh Elser added a comment -

        Actually, this may be as simple as changing the CreateTable FATE op to not try to grant permissions on the table being created when the user who initiated the creation is !SYSTEM

        Show
        Josh Elser added a comment - Actually, this may be as simple as changing the CreateTable FATE op to not try to grant permissions on the table being created when the user who initiated the creation is !SYSTEM
        Hide
        Josh Elser added a comment -

        If it simplifies things, why not create it on upgrade/init and leave it unused?

        Hypothetically, it does. I spent a few hours trying to do this on Friday, actually. When you circumvent the APIs and manually create a table, you have to use a fixed table ID. You then also have to make sure that operations against accumulo.metadata still "consider" it a table. After bashing my head against it for a few hours, I gave up. While there is the simplicity argument for creating the table up front, there is the implementation complexity of having a table which doesn't follow the same "rules" as every other table (with nothing being special about said table).

        Show
        Josh Elser added a comment - If it simplifies things, why not create it on upgrade/init and leave it unused? Hypothetically, it does. I spent a few hours trying to do this on Friday, actually. When you circumvent the APIs and manually create a table, you have to use a fixed table ID. You then also have to make sure that operations against accumulo.metadata still "consider" it a table. After bashing my head against it for a few hours, I gave up. While there is the simplicity argument for creating the table up front, there is the implementation complexity of having a table which doesn't follow the same "rules" as every other table (with nothing being special about said table).
        Hide
        Josh Elser added a comment -

        SystemCredentials really doesn't seem to be the "correct" place for this either as they are explicitly meant for IPC. Should Accumulo internals have the ability to use the public API?

        I suppose I could try to circumvent things by hitting the TableOperations.create(String) implementation as a shortcut.

        Show
        Josh Elser added a comment - SystemCredentials really doesn't seem to be the "correct" place for this either as they are explicitly meant for IPC. Should Accumulo internals have the ability to use the public API? I suppose I could try to circumvent things by hitting the TableOperations.create(String) implementation as a shortcut.
        Hide
        Sean Busbey added a comment -

        If it simplifies things, why not create it on upgrade/init and leave it unused?

        It looks like the 1.6.0 master creates the root table manually through the TableManager and a manual call to the Initialization code. It's kind of heavy-weight, but would get you what you need.

        Show
        Sean Busbey added a comment - If it simplifies things, why not create it on upgrade/init and leave it unused? It looks like the 1.6.0 master creates the root table manually through the TableManager and a manual call to the Initialization code . It's kind of heavy-weight, but would get you what you need.
        Hide
        Josh Elser added a comment -

        No, it shouldn't be a part of the upgrade process as it's not necessary to create this table if the feature is not enabled. I believe the root table would have been manually created as a part of the initialize process so that's probably not of help.

        Show
        Josh Elser added a comment - No, it shouldn't be a part of the upgrade process as it's not necessary to create this table if the feature is not enabled. I believe the root table would have been manually created as a part of the initialize process so that's probably not of help.
        Hide
        Sean Busbey added a comment -

        Shouldn't this just happen as a part of the upgrade process? How did the 1.5 -> 1.6 upgrade create the root table?

        Show
        Sean Busbey added a comment - Shouldn't this just happen as a part of the upgrade process? How did the 1.5 -> 1.6 upgrade create the root table?
        Hide
        Josh Elser added a comment - - edited

        Relevant issue if I try to use !SYSTEM:

        org.apache.accumulo.core.client.AccumuloSecurityException: Error USER_DOESNT_EXIST for user !SYSTEM on table replication(?) - The user does not exist
        	at org.apache.accumulo.core.client.admin.TableOperationsImpl.doFateOperation(TableOperationsImpl.java:327)
        	at org.apache.accumulo.core.client.admin.TableOperationsImpl.doFateOperation(TableOperationsImpl.java:302)
        	at org.apache.accumulo.core.client.admin.TableOperationsImpl.doTableFateOperation(TableOperationsImpl.java:1591)
        	at org.apache.accumulo.core.client.admin.TableOperationsImpl.create(TableOperationsImpl.java:229)
        	at org.apache.accumulo.core.client.admin.TableOperationsImpl.create(TableOperationsImpl.java:193)
        
        2014-04-21 14:39:22,837 [tableOps.FinishCreateTable] ERROR:
        ThriftSecurityException(user:!SYSTEM, code:USER_DOESNT_EXIST)
                at org.apache.accumulo.server.security.SecurityOperation.targetUserExists(SecurityOperation.java:363)
                at org.apache.accumulo.server.security.SecurityOperation.grantTablePermission(SecurityOperation.java:621)
                at org.apache.accumulo.server.security.AuditedSecurityOperation.grantTablePermission(AuditedSecurityOperation.java:381)
                at org.apache.accumulo.master.tableOps.SetupPermissions.call(CreateTable.java:254)
                at org.apache.accumulo.master.tableOps.MasterRepo.call(MasterRepo.java:1)
                at org.apache.accumulo.master.tableOps.TraceRepo.call(TraceRepo.java:54)
                at org.apache.accumulo.fate.Fate$TransactionRunner.run(Fate.java:67)
                at org.apache.accumulo.fate.util.LoggingRunnable.run(LoggingRunnable.java:34)
                at java.lang.Thread.run(Thread.java:724)
        
        Show
        Josh Elser added a comment - - edited Relevant issue if I try to use !SYSTEM: org.apache.accumulo.core.client.AccumuloSecurityException: Error USER_DOESNT_EXIST for user !SYSTEM on table replication(?) - The user does not exist at org.apache.accumulo.core.client.admin.TableOperationsImpl.doFateOperation(TableOperationsImpl.java:327) at org.apache.accumulo.core.client.admin.TableOperationsImpl.doFateOperation(TableOperationsImpl.java:302) at org.apache.accumulo.core.client.admin.TableOperationsImpl.doTableFateOperation(TableOperationsImpl.java:1591) at org.apache.accumulo.core.client.admin.TableOperationsImpl.create(TableOperationsImpl.java:229) at org.apache.accumulo.core.client.admin.TableOperationsImpl.create(TableOperationsImpl.java:193) 2014-04-21 14:39:22,837 [tableOps.FinishCreateTable] ERROR: ThriftSecurityException(user:!SYSTEM, code:USER_DOESNT_EXIST) at org.apache.accumulo.server.security.SecurityOperation.targetUserExists(SecurityOperation.java:363) at org.apache.accumulo.server.security.SecurityOperation.grantTablePermission(SecurityOperation.java:621) at org.apache.accumulo.server.security.AuditedSecurityOperation.grantTablePermission(AuditedSecurityOperation.java:381) at org.apache.accumulo.master.tableOps.SetupPermissions.call(CreateTable.java:254) at org.apache.accumulo.master.tableOps.MasterRepo.call(MasterRepo.java:1) at org.apache.accumulo.master.tableOps.TraceRepo.call(TraceRepo.java:54) at org.apache.accumulo.fate.Fate$TransactionRunner.run(Fate.java:67) at org.apache.accumulo.fate.util.LoggingRunnable.run(LoggingRunnable.java:34) at java.lang.Thread.run(Thread.java:724)

          People

          • Assignee:
            Josh Elser
            Reporter:
            Josh Elser
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development