You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@phoenix.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/01/07 06:57:00 UTC

[jira] [Commented] (PHOENIX-6579) ACL check doesn't honor the namespace mapping for mapped views.

    [ https://issues.apache.org/jira/browse/PHOENIX-6579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17470374#comment-17470374 ] 

ASF GitHub Bot commented on PHOENIX-6579:
-----------------------------------------

stoty commented on pull request #1340:
URL: https://github.com/apache/phoenix/pull/1340#issuecomment-1007182501


   This got me thinking that we should in fact 
   use `"^"+tableName.getNameWithNamespaceInclAsString()+"$"`
   
   to avoid a similar stituation, where we have permission for `ns:prefixTable,` and we do not add the required new permission for `ns:prefixTableFoo` because we THINK we already have it.
   
   I think I'm going to open am HBase ticket about the horrific API design (if one doesn't exist yet).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@phoenix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> ACL check doesn't honor the namespace mapping for mapped views.
> ---------------------------------------------------------------
>
>                 Key: PHOENIX-6579
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-6579
>             Project: Phoenix
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 5.1.2
>            Reporter: Sergey Soldatov
>            Assignee: Sergey Soldatov
>            Priority: Major
>
> When the namespace mapping and ACLs are enabled and the user tries to create a view on top of the existing HBase table, the query would fail if he doesn't have permissions for the default namespace. 
> {noformat}
> *Error: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=admin/admin@EXAMPLE.COM, scope=default:my_ns.my_table, action=[READ])
>  at org.apache.phoenix.coprocessor.PhoenixAccessController.requireAccess(PhoenixAccessController.java:606)
>  at org.apache.phoenix.coprocessor.PhoenixAccessController.preCreateTable(PhoenixAccessController.java:201)
>  at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:171)
>  at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:168)
>  at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$PhoenixObserverOperation.callObserver(PhoenixMetaDataCoprocessorHost.java:86)
>  at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.execOperation(PhoenixMetaDataCoprocessorHost.java:106)
>  at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.preCreateTable(PhoenixMetaDataCoprocessorHost.java:168)
>  at org.apache.phoenix.coprocessor.MetaDataEndpointImpl.createTable(MetaDataEndpointImpl.java:1900)
>  at org.apache.phoenix.coprocessor.generated.MetaDataProtos$MetaDataService.callMethod(MetaDataProtos.java:17317)
>  at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8313)
>  at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2499)
>  at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2481)
>  at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42286)
>  at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:418)
>  at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:133)
>  at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:338)
>  at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:318) (state=08000,code=101)
>  {noformat}
> That happens because in the MetaData endpoint implementation we are still using _SchemaUtil.getTableNameAsBytes(schemaName, tableName)_ for the mapped view which knows nothing about namespace mapping, so the ACL check is going against 'default:schema.table'. It could be fixed easy by  replacing the call with _SchemaUtil.getPhysicalHBaseTableName(schemaName, tableName, isNamespaceMapped).getBytes();_



--
This message was sent by Atlassian Jira
(v8.20.1#820001)