Description
When the namespace mapping and ACLs are enabled and the user tries to create a view on top of the existing HBase table, the query would fail if he doesn't have permissions for the default namespace.
*Error: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=admin/admin@EXAMPLE.COM, scope=default:my_ns.my_table, action=[READ]) at org.apache.phoenix.coprocessor.PhoenixAccessController.requireAccess(PhoenixAccessController.java:606) at org.apache.phoenix.coprocessor.PhoenixAccessController.preCreateTable(PhoenixAccessController.java:201) at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:171) at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:168) at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$PhoenixObserverOperation.callObserver(PhoenixMetaDataCoprocessorHost.java:86) at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.execOperation(PhoenixMetaDataCoprocessorHost.java:106) at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.preCreateTable(PhoenixMetaDataCoprocessorHost.java:168) at org.apache.phoenix.coprocessor.MetaDataEndpointImpl.createTable(MetaDataEndpointImpl.java:1900) at org.apache.phoenix.coprocessor.generated.MetaDataProtos$MetaDataService.callMethod(MetaDataProtos.java:17317) at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8313) at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2499) at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2481) at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42286) at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:418) at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:133) at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:338) at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:318) (state=08000,code=101)
That happens because in the MetaData endpoint implementation we are still using SchemaUtil.getTableNameAsBytes(schemaName, tableName) for the mapped view which knows nothing about namespace mapping, so the ACL check is going against 'default:schema.table'. It could be fixed easy by replacing the call with SchemaUtil.getPhysicalHBaseTableName(schemaName, tableName, isNamespaceMapped).getBytes();