You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by "Yudong Wu (JIRA)" <ji...@apache.org> on 2016/11/11 09:10:59 UTC
[jira] [Created] (ACCUMULO-4519) System permission bug in Thrift
Proxy
Yudong Wu created ACCUMULO-4519:
-----------------------------------
Summary: System permission bug in Thrift Proxy
Key: ACCUMULO-4519
URL: https://issues.apache.org/jira/browse/ACCUMULO-4519
Project: Accumulo
Issue Type: Bug
Components: proxy
Affects Versions: 1.8.0
Reporter: Yudong Wu
Priority: Critical
The system permission list between core and Thrift proxy is inconsistent. The proxy lacks the support for some of the newly added system permissions, including:
{{System.CREATE_NAMESPACE}}
{{System.DROP_NAMESPACE}}
{{System.ALTER_NAMESPACE}}
{{System.OBTAIN_DELEGATION_TOKEN}}
Currently, when connecting through Thrift proxy, we can't grant, check or revoke the above 4 System permissions. When a proxy client sends permissions (i.e., {{System.CREATE_NAMESPACE}}), it will receive {{AccumuloException}} wrapping around {{java.lang.NullPointerException}}:
{code:borderStyle=solid}
Traceback (most recent call last):
File "Client.py", line 32, in <module>
client.grantSystemPermission(login, username, CREATE_NAMESPACE_PERM)
File "***AccumuloProxy.py", line 2980, in grantSystemPermission
self.recv_grantSystemPermission()
File "***AccumuloProxy.py", line 3006, in recv_grantSystemPermission
raise result.ouch1
accumulo.ttypes.AccumuloException: AccumuloException(msg='java.lang.NullPointerException')
{code}
The bug is in the Thrift proxy file
{code:title=accumulo/proxy/src/main/thrift/proxy/thrift|borderStyle=solid}
enum SystemPermission {
GRANT = 0,
CREATE_TABLE = 1,
DROP_TABLE = 2,
ALTER_TABLE = 3,
CREATE_USER = 4,
DROP_USER = 5,
ALTER_USER = 6,
SYSTEM = 7,
}
{code}
The {{SystemPermission}} enum clearly misses Permission #8--#11 defined in Accumulo core:
{code:title=accumulo/core/.../SystemPermission.java|borderStyle=solid}
public enum SystemPermission {
/*
* One may add new permissions, but new permissions must use new numbers. Current numbers in use must not be changed.
*/
GRANT((byte) 0),
CREATE_TABLE((byte) 1),
DROP_TABLE((byte) 2),
ALTER_TABLE((byte) 3),
CREATE_USER((byte) 4),
DROP_USER((byte) 5),
ALTER_USER((byte) 6),
SYSTEM((byte) 7),
CREATE_NAMESPACE((byte) 8),
DROP_NAMESPACE((byte) 9),
ALTER_NAMESPACE((byte) 10),
OBTAIN_DELEGATION_TOKEN((byte) 11);
}
{code}
The fix should be straightforward---just add the corresponding permissions into the Thrift proxy file.
Let me know if you need any more info, or want a patch for this.
Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)