Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-6579

ACL check doesn't honor the namespace mapping for mapped views.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.1.2
    • 5.2.0, 5.1.3
    • core
    • None

    Description

      When the namespace mapping and ACLs are enabled and the user tries to create a view on top of the existing HBase table, the query would fail if he doesn't have permissions for the default namespace. 

      *Error: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=admin/admin@EXAMPLE.COM, scope=default:my_ns.my_table, action=[READ])
 at org.apache.phoenix.coprocessor.PhoenixAccessController.requireAccess(PhoenixAccessController.java:606)
 at org.apache.phoenix.coprocessor.PhoenixAccessController.preCreateTable(PhoenixAccessController.java:201)
 at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:171)
 at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:168)
 at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$PhoenixObserverOperation.callObserver(PhoenixMetaDataCoprocessorHost.java:86)
 at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.execOperation(PhoenixMetaDataCoprocessorHost.java:106)
 at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.preCreateTable(PhoenixMetaDataCoprocessorHost.java:168)
 at org.apache.phoenix.coprocessor.MetaDataEndpointImpl.createTable(MetaDataEndpointImpl.java:1900)
 at org.apache.phoenix.coprocessor.generated.MetaDataProtos$MetaDataService.callMethod(MetaDataProtos.java:17317)
 at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8313)
 at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2499)
 at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2481)
 at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42286)
 at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:418)
 at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:133)
 at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:338)
 at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:318) (state=08000,code=101)
 

      That happens because in the MetaData endpoint implementation we are still using SchemaUtil.getTableNameAsBytes(schemaName, tableName) for the mapped view which knows nothing about namespace mapping, so the ACL check is going against 'default:schema.table'. It could be fixed easy by  replacing the call with SchemaUtil.getPhysicalHBaseTableName(schemaName, tableName, isNamespaceMapped).getBytes();

      Attachments

        Activity

          People

            sergey.soldatov Sergey Soldatov
            ssa Sergey Soldatov
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: