[PHOENIX-2717] Unable to login if no "create" permission in HBase - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 4.4.0
Fix Version/s: 4.11.0
Component/s: None
Labels:
None
Environment:

HDP 2.3.4

Description

I'm using HBase with Ranger, but I guess that we could have the same issue with internal HBase permission system.

When I try to connect to "hbase" using phoenix client, it crashes because of "Access Denied" exception.

The phoenix client try to create the SYSTEM.CATALOG table (and other SYSTEM tables) and catch only 2 exceptions :
NewerTableAlreadyExistsException and TableAlreadyExistsException

It doesn't catch the "access denied" exception.

https://github.com/apache/phoenix/blob/master/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L2279

In the end, I'm not able to connect to HBase using Phoenix for read purpose, I don't need to be able to create these SYSTEM tables...
I think that the code is a little bit dirty: it should check the existence of the table instead of trying to create it and catch exception.

I have a workaround for now: I grant the "create" permission in Ranger for "SYSTEM.*" tables: they already exist before the user try to connect, so it's not a problem to give them this access.