Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-5374

Incorrect exception thrown in some cases when client does not have Exec permissions on SYSTEM:CATALOG

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 4.15.0, 5.1.0
    • None
    • None

    Description

      Scenario:

      • Server and client-side namespace-mapping is enabled.
      • "hbase.security.exec.permission.checks" is true on the server. Thus, EXEC permission checking will be performed during coprocessor endpoint invocations.
      • Client does not have EXEC permissions on SYSTEM:CATALOG
      • Client calls DriverManager.getConnection(..) and this fails with the following exception:
      java.sql.SQLException: ERROR 2006 (INT08): Incompatible jars detected between client and server. Ensure that phoenix-[version]-server.jar is put on the classpath of HBase in every region server: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=unprivilegedUser_N000007, scope=SYSTEM:CATALOG, params=[table=SYSTEM:CATALOG],action=EXEC)
	at org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:281)
	at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:446)
	at org.apache.hadoop.hbase.security.access.AccessController.preEndpointInvocation(AccessController.java:2015)
	at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$64.call(RegionCoprocessorHost.java:1707)
	at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$64.call(RegionCoprocessorHost.java:1704)
	at org.apache.hadoop.hbase.coprocessor.CoprocessorHost$ObserverOperationWithResult.callObserver(CoprocessorHost.java:578)
	at org.apache.hadoop.hbase.coprocessor.CoprocessorHost.execOperation(CoprocessorHost.java:614)
	at org.apache.hadoop.hbase.coprocessor.CoprocessorHost.execOperationWithResult(CoprocessorHost.java:592)
	at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preEndpointInvocation(RegionCoprocessorHost.java:1703)
	at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8011)
	at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2409)
	at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2391)
	at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42010)
	at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:409)
	at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:130)
	at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:324)
	at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:304)

      The above is encountered as a result of a call to getVersion from ConnectionQueryServicesImpl#checkClientServerCompatibility, but can occur from any place that we check client-server compatibility.
      The exception bubbles up as an INCOMPATIBLE_CLIENT_SERVER_JAR exception, which is wrong and also leads to misleading logs for clients.

      Attachments

        1. PHOENIX-5374-master-v1.patch
          6 kB
          Chinmay Kulkarni
        2. PHOENIX-5374-4.x-HBase-1.3.patch
          6 kB
          Chinmay Kulkarni

        Issue Links

          links to

          Web Link GitHub Pull Request #526

          Activity

            People

              ckulkarni Chinmay Kulkarni
              ckulkarni Chinmay Kulkarni
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 20m
                  1h 20m