Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-3756

Users lacking ADMIN on 'SYSTEM' HBase namespace can't connect to Phoenix

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 4.11.0
    • None
    • None

    Description

      Follow-on from PHOENIX-3652:

      The fix provided in PHOENIX-3652 addressed the default situation where users would need ADMIN on the default HBase namespace. However, when phoenix.schema.isNamespaceMappingEnabled=true and Phoenix creates its system tables in the SYSTEM HBase namespace, unprivileged users (those lacking ADMIN on SYSTEM) still cannot connect to Phoenix.

      The root-cause is essentially the same: the code tries to fetch the NamespaceDescriptor for the SYSTEM namespace which requires the ADMIN permission.

      https://github.com/apache/phoenix/blob/8093d10f1a481101d6c93fdf0744ff15ec48f4aa/phoenix-core/src/main/java/org/apache/phoenix/query/ConnectionQueryServicesImpl.java#L1017-L1037

      Attachments

        1. PHOENIX-3756.001.patch
          3 kB
          Josh Elser
        2. PHOENIX-3756.002.patch
          15 kB
          Josh Elser
        3. PHOENIX-3756.003.patch
          15 kB
          Josh Elser
        4. PHOENIX-3756.004.patch
          18 kB
          Josh Elser
        5. PHOENIX-3756.005.patch
          19 kB
          Josh Elser
        6. PHOENIX-3756.006.patch
          22 kB
          Josh Elser
        7. PHOENIX-3756.007.patch
          22 kB
          Josh Elser
        8. PHOENIX-3756.008.patch
          26 kB
          Josh Elser

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. PHOENIX-2717 Unable to login if no "create" permission in HBase

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. PHOENIX-3652 Users who do not have global access to hbase cluster can't connect to phoenix

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. PHOENIX-3833 Create system schema fails on namespace-mapping table for unprivileged user.

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              elserj Josh Elser
              elserj Josh Elser
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: