[PHOENIX-2717] Unable to login if no "create" permission in HBase - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 4.4.0
Fix Version/s: 4.11.0
Component/s: None
Labels:
None
Environment:

HDP 2.3.4

Description

I'm using HBase with Ranger, but I guess that we could have the same issue with internal HBase permission system.

When I try to connect to "hbase" using phoenix client, it crashes because of "Access Denied" exception.

The phoenix client try to create the SYSTEM.CATALOG table (and other SYSTEM tables) and catch only 2 exceptions :
NewerTableAlreadyExistsException and TableAlreadyExistsException

It doesn't catch the "access denied" exception.

https://github.com/apache/phoenix/blob/master/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L2279

In the end, I'm not able to connect to HBase using Phoenix for read purpose, I don't need to be able to create these SYSTEM tables...
I think that the code is a little bit dirty: it should check the existence of the table instead of trying to create it and catch exception.

I have a workaround for now: I grant the "create" permission in Ranger for "SYSTEM.*" tables: they already exist before the user try to connect, so it's not a problem to give them this access.

Attachments

Issue Links

duplicates

PHOENIX-3756 Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: mathias kluba

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 26/Feb/16 21:26

Updated:: 22/Mar/18 07:21

Resolved:: 22/Mar/18 07:21