Uploaded image for project: 'Accumulo'
  1. Accumulo
  2. ACCUMULO-4519

System permission bug in Thrift Proxy

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.8.0
    • 1.7.3, 1.8.1, 2.0.0
    • proxy
    • None

    Description

      The system permission list between core and Thrift proxy is inconsistent. The proxy lacks the support for some of the newly added system permissions, including:
      System.CREATE_NAMESPACE
      System.DROP_NAMESPACE
      System.ALTER_NAMESPACE
      System.OBTAIN_DELEGATION_TOKEN

      Currently, when connecting through Thrift proxy, we can't grant, check or revoke the above 4 System permissions. When a proxy client sends permissions (i.e., System.CREATE_NAMESPACE), it will receive AccumuloException wrapping around java.lang.NullPointerException:

      Traceback (most recent call last):
  File "Client.py", line 32, in <module>
    client.grantSystemPermission(login, username, CREATE_NAMESPACE_PERM)
  File "***AccumuloProxy.py", line 2980, in grantSystemPermission
    self.recv_grantSystemPermission()
  File "***AccumuloProxy.py", line 3006, in recv_grantSystemPermission
    raise result.ouch1
accumulo.ttypes.AccumuloException: AccumuloException(msg='java.lang.NullPointerException')

      The bug is in the Thrift proxy file

      accumulo/proxy/src/main/thrift/proxy/thrift
      enum SystemPermission {
  GRANT = 0,
  CREATE_TABLE = 1,
  DROP_TABLE = 2,
  ALTER_TABLE = 3,
  CREATE_USER = 4,
  DROP_USER = 5,
  ALTER_USER = 6,
  SYSTEM = 7,
}

      The SystemPermission enum clearly misses Permission #8--#11 defined in Accumulo core:

      accumulo/core/.../SystemPermission.java
      public enum SystemPermission {
  /*
   * One may add new permissions, but new permissions must use new numbers. Current numbers in use must not be changed.
   */
  GRANT((byte) 0),
  CREATE_TABLE((byte) 1),
  DROP_TABLE((byte) 2),
  ALTER_TABLE((byte) 3),
  CREATE_USER((byte) 4),
  DROP_USER((byte) 5),
  ALTER_USER((byte) 6),
  SYSTEM((byte) 7),
  CREATE_NAMESPACE((byte) 8),
  DROP_NAMESPACE((byte) 9),
  ALTER_NAMESPACE((byte) 10),
  OBTAIN_DELEGATION_TOKEN((byte) 11);
}

      The fix should be straightforward---just add the corresponding permissions into the Thrift proxy file.

      Let me know if you need any more info, or want a patch for this.

      Thanks!

      Attachments

        1. ACCUMULO-4519.0000.patch
          5 kB
          Yudong Wu

        Issue Links

          is related to

          Test - A new unit, integration or system test. ACCUMULO-4583 Add regression test for System permission bug in Thrift Proxy patch

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. ACCUMULO-4610 Namespace Operations missing from Thrift proxy

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #217

          Activity

            People

              cutylewiwi Yudong Wu
              cutylewiwi Yudong Wu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 20m
                  1h 20m