Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-3756

Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.11.0
    • Labels:
      None

      Description

      Follow-on from PHOENIX-3652:

      The fix provided in PHOENIX-3652 addressed the default situation where users would need ADMIN on the default HBase namespace. However, when phoenix.schema.isNamespaceMappingEnabled=true and Phoenix creates its system tables in the SYSTEM HBase namespace, unprivileged users (those lacking ADMIN on SYSTEM) still cannot connect to Phoenix.

      The root-cause is essentially the same: the code tries to fetch the NamespaceDescriptor for the SYSTEM namespace which requires the ADMIN permission.

      https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037

        Attachments

        1. PHOENIX-3756.008.patch
          26 kB
          Josh Elser
        2. PHOENIX-3756.007.patch
          22 kB
          Josh Elser
        3. PHOENIX-3756.006.patch
          22 kB
          Josh Elser
        4. PHOENIX-3756.005.patch
          19 kB
          Josh Elser
        5. PHOENIX-3756.004.patch
          18 kB
          Josh Elser
        6. PHOENIX-3756.003.patch
          15 kB
          Josh Elser
        7. PHOENIX-3756.002.patch
          15 kB
          Josh Elser
        8. PHOENIX-3756.001.patch
          3 kB
          Josh Elser

          Issue Links

            Activity

              People

              • Assignee:
                elserj Josh Elser
                Reporter:
                elserj Josh Elser
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: