Uploaded image for project: 'Accumulo'
  1. Accumulo
  2. ACCUMULO-4519

System permission bug in Thrift Proxy

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.0
    • Fix Version/s: 1.7.3, 1.8.1, 2.0.0
    • Component/s: proxy
    • Labels:
      None

      Description

      The system permission list between core and Thrift proxy is inconsistent. The proxy lacks the support for some of the newly added system permissions, including:
      System.CREATE_NAMESPACE
      System.DROP_NAMESPACE
      System.ALTER_NAMESPACE
      System.OBTAIN_DELEGATION_TOKEN

      Currently, when connecting through Thrift proxy, we can't grant, check or revoke the above 4 System permissions. When a proxy client sends permissions (i.e., System.CREATE_NAMESPACE), it will receive AccumuloException wrapping around java.lang.NullPointerException:

      Traceback (most recent call last):
        File "Client.py", line 32, in <module>
          client.grantSystemPermission(login, username, CREATE_NAMESPACE_PERM)
        File "***AccumuloProxy.py", line 2980, in grantSystemPermission
          self.recv_grantSystemPermission()
        File "***AccumuloProxy.py", line 3006, in recv_grantSystemPermission
          raise result.ouch1
      accumulo.ttypes.AccumuloException: AccumuloException(msg='java.lang.NullPointerException')
      

      The bug is in the Thrift proxy file

      accumulo/proxy/src/main/thrift/proxy/thrift
      enum SystemPermission {
        GRANT = 0,
        CREATE_TABLE = 1,
        DROP_TABLE = 2,
        ALTER_TABLE = 3,
        CREATE_USER = 4,
        DROP_USER = 5,
        ALTER_USER = 6,
        SYSTEM = 7,
      }
      

      The SystemPermission enum clearly misses Permission #8--#11 defined in Accumulo core:

      accumulo/core/.../SystemPermission.java
      public enum SystemPermission {
        /*
         * One may add new permissions, but new permissions must use new numbers. Current numbers in use must not be changed.
         */
        GRANT((byte) 0),
        CREATE_TABLE((byte) 1),
        DROP_TABLE((byte) 2),
        ALTER_TABLE((byte) 3),
        CREATE_USER((byte) 4),
        DROP_USER((byte) 5),
        ALTER_USER((byte) 6),
        SYSTEM((byte) 7),
        CREATE_NAMESPACE((byte) 8),
        DROP_NAMESPACE((byte) 9),
        ALTER_NAMESPACE((byte) 10),
        OBTAIN_DELEGATION_TOKEN((byte) 11);
      }
      

      The fix should be straightforward---just add the corresponding permissions into the Thrift proxy file.

      Let me know if you need any more info, or want a patch for this.

      Thanks!

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cutylewiwi Yudong Wu
                Reporter:
                cutylewiwi Yudong Wu
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 20m
                  1h 20m