You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by "Yudong Wu (JIRA)" <ji...@apache.org> on 2016/11/11 09:10:59 UTC

[jira] [Created] (ACCUMULO-4519) System permission bug in Thrift Proxy

Yudong Wu created ACCUMULO-4519:
-----------------------------------

             Summary: System permission bug in Thrift Proxy
                 Key: ACCUMULO-4519
                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4519
             Project: Accumulo
          Issue Type: Bug
          Components: proxy
    Affects Versions: 1.8.0
            Reporter: Yudong Wu
            Priority: Critical


The system permission list between core and Thrift proxy is inconsistent. The proxy lacks the support for some of the newly added system permissions, including:
{{System.CREATE_NAMESPACE}}
{{System.DROP_NAMESPACE}}
{{System.ALTER_NAMESPACE}}
{{System.OBTAIN_DELEGATION_TOKEN}}

Currently, when connecting through Thrift proxy, we can't grant, check or revoke the above 4 System permissions. When a proxy client sends permissions (i.e., {{System.CREATE_NAMESPACE}}), it will receive {{AccumuloException}} wrapping around {{java.lang.NullPointerException}}:

{code:borderStyle=solid}
Traceback (most recent call last):
  File "Client.py", line 32, in <module>
    client.grantSystemPermission(login, username, CREATE_NAMESPACE_PERM)
  File "***AccumuloProxy.py", line 2980, in grantSystemPermission
    self.recv_grantSystemPermission()
  File "***AccumuloProxy.py", line 3006, in recv_grantSystemPermission
    raise result.ouch1
accumulo.ttypes.AccumuloException: AccumuloException(msg='java.lang.NullPointerException')
{code}

The bug is in the Thrift proxy file
{code:title=accumulo/proxy/src/main/thrift/proxy/thrift|borderStyle=solid}
enum SystemPermission {
  GRANT = 0,
  CREATE_TABLE = 1,
  DROP_TABLE = 2,
  ALTER_TABLE = 3,
  CREATE_USER = 4,
  DROP_USER = 5,
  ALTER_USER = 6,
  SYSTEM = 7,
}
{code}

The {{SystemPermission}} enum clearly misses Permission #8--#11 defined in Accumulo core:
{code:title=accumulo/core/.../SystemPermission.java|borderStyle=solid}
public enum SystemPermission {
  /*
   * One may add new permissions, but new permissions must use new numbers. Current numbers in use must not be changed.
   */
  GRANT((byte) 0),
  CREATE_TABLE((byte) 1),
  DROP_TABLE((byte) 2),
  ALTER_TABLE((byte) 3),
  CREATE_USER((byte) 4),
  DROP_USER((byte) 5),
  ALTER_USER((byte) 6),
  SYSTEM((byte) 7),
  CREATE_NAMESPACE((byte) 8),
  DROP_NAMESPACE((byte) 9),
  ALTER_NAMESPACE((byte) 10),
  OBTAIN_DELEGATION_TOKEN((byte) 11);
}
{code}

The fix should be straightforward---just add the corresponding permissions into the Thrift proxy file. 

Let me know if you need any more info, or want a patch for this. 

Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)