You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@phoenix.apache.org by "Geoffrey Jacoby (Jira)" <ji...@apache.org> on 2022/10/03 20:04:00 UTC
[jira] [Updated] (PHOENIX-6579) ACL check doesn't honor the namespace mapping for mapped views.
[ https://issues.apache.org/jira/browse/PHOENIX-6579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Geoffrey Jacoby updated PHOENIX-6579:
-------------------------------------
Fix Version/s: 5.2.0
> ACL check doesn't honor the namespace mapping for mapped views.
> ---------------------------------------------------------------
>
> Key: PHOENIX-6579
> URL: https://issues.apache.org/jira/browse/PHOENIX-6579
> Project: Phoenix
> Issue Type: Bug
> Components: core
> Affects Versions: 5.1.2
> Reporter: Sergey Soldatov
> Assignee: Sergey Soldatov
> Priority: Major
> Fix For: 5.2.0, 5.1.3
>
>
> When the namespace mapping and ACLs are enabled and the user tries to create a view on top of the existing HBase table, the query would fail if he doesn't have permissions for the default namespace.
> {noformat}
> *Error: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=admin/admin@EXAMPLE.COM, scope=default:my_ns.my_table, action=[READ])
> at org.apache.phoenix.coprocessor.PhoenixAccessController.requireAccess(PhoenixAccessController.java:606)
> at org.apache.phoenix.coprocessor.PhoenixAccessController.preCreateTable(PhoenixAccessController.java:201)
> at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:171)
> at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:168)
> at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$PhoenixObserverOperation.callObserver(PhoenixMetaDataCoprocessorHost.java:86)
> at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.execOperation(PhoenixMetaDataCoprocessorHost.java:106)
> at org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.preCreateTable(PhoenixMetaDataCoprocessorHost.java:168)
> at org.apache.phoenix.coprocessor.MetaDataEndpointImpl.createTable(MetaDataEndpointImpl.java:1900)
> at org.apache.phoenix.coprocessor.generated.MetaDataProtos$MetaDataService.callMethod(MetaDataProtos.java:17317)
> at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8313)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2499)
> at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2481)
> at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42286)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:418)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:133)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:338)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:318) (state=08000,code=101)
> {noformat}
> That happens because in the MetaData endpoint implementation we are still using _SchemaUtil.getTableNameAsBytes(schemaName, tableName)_ for the mapped view which knows nothing about namespace mapping, so the ACL check is going against 'default:schema.table'. It could be fixed easy by replacing the call with _SchemaUtil.getPhysicalHBaseTableName(schemaName, tableName, isNamespaceMapped).getBytes();_
--
This message was sent by Atlassian Jira
(v8.20.10#820010)